RBAC Reference
For facilitating role-based access for users, K10 leverages Kubernetes ClusterRoles and Bindings. Currently, the K10 multi-cluster global manager is only available to admin users and requires additional RBAC roles and bindings.
K10 Multi-Cluster Admin
The k10-mc-admin
ClusterRole is added for Distributions, Clusters,
K10 Config, Secrets and Multi-Cluster RBAC configuration access in the K10
multi-cluster namespace.
Note
k10-mc-admin
will be installed under the name <release_name>-mc-admin
.
This ClusterRole is not configurable and is installed with K10.
The following is an example of the k10-mc-admin
ClusterRole:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: k10-mc-admin
rules:
- apiGroups:
- config.kio.kasten.io
- dist.kio.kasten.io
- auth.kio.kasten.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- ""
resources:
- secrets
verbs:
- '*'
K10 Multi-Cluster Admin Binding
The k10-mc-admin
ClusterRole needs a RoleBinding in the K10
multi-cluster namespace.
K10 creates a RoleBinding for a default Group k10:admins
in the
K10 multi-cluster namespace. Admin users can be added to this Group
and will be able to use the above k10-mc-admin
ClusterRole.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: k10-k10-mc-admin
namespace: kasten-io-mc
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: k10-mc-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: k10:admins
To bind the k10-mc-admin
ClusterRole to a User, use the following command
$ kubectl create rolebinding <name> --clusterrole=k10-mc-admin \
--namespace=kasten-io-mc \
--user=<name>
The above kubectl command will create the following RoleBinding object
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: k10-k10-mc-admin
namespace: kasten-io-mc
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: k10-mc-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: k10-mc-admin
Alternatively, you can also bind the ClusterRole to a ServiceAccount.
$ kubectl create rolebinding <name> --clusterrole=k10-mc-admin \
--namespace=kasten-io-mc \
--serviceaccount=<serviceaccount_namespace>:<serviceaccount_name>
The above kubectl command will create the following RoleBinding object
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: k10-k10-mc-admin
namespace: kasten-io-mc
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: k10-mc-admin
subjects:
- kind: ServiceAccount
name: k10-mc-admin
namespace: kasten-io-mc
K10 Multi-Cluster User
For non-admin users of K10 Multi-Cluster Manager, admins can allow cluster-level access, without giving access to configuration or admin-only operations.
The following rules can be applied to any existing user's ClusterRole or a new ClusterRole can be created.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: k10-mc-user
rules:
- apiGroups:
- auth.kio.kasten.io
- config.kio.kasten.io
- dist.kio.kasten.io
resources:
- '*'
verbs:
- get
- list
Note
Above ClusterRole will give access to ALL clusters, for a more granular
access, use resourceNames
option.
To bind the k10-mc-user
ClusterRole to a User, use the following command
$ kubectl create rolebinding <name> --clusterrole=k10-mc-user \
--namespace=kasten-io-mc \
--user=<name>
To bind the k10-mc-user
ClusterRole to a ServiceAccount, use the following
command
$ kubectl create rolebinding <name> --clusterrole=k10-mc-user \
--namespace=kasten-io-mc \
--serviceaccount=<serviceaccount_namespace>:<serviceaccount_name>
K10 Multi-Cluster User Binding
Once users are bound to clusters using the cluster role or rules defined above,
a K10ClusterRoleBinding
is required to define the level of access within
the clusters.
K10ClusterRoles
These are pre-defined K10ClusterRoles already installed with K10.
k10-multi-cluster-admin
K10ClusterRole has access defined in k10-admin
ClusterRole, k10-multi-cluster-basic
K10ClusterRole has access defined in
k10-basic
ClusterRole, and k10-multi-cluster-config-view
K10ClusterRole
has access defined in k10-config-view
ClusterRole. More about
k10-admin
, k10-basic
, and k10-config-view
can be found at
K10 RBAC.
K10ClusterRoleBindings
K10ClusterRoleBindings are used for defining who (users/groups) have what
(K10ClusterRole
) access in which clusters. They are K10 Custom Resources
that can be created in the primary cluster to give users/groups access to
all or some secondary clusters.
K10 is installed with three pre-defined K10ClusterRoles that correspond to
k10-admin
, k10-basic
and k10-config-view
ClusterRoles.
The following example illustrates how to create a K10ClusterRoleBinding for
user user1
, using k10-multi-cluster-admin
K10ClusterRole, for cluster
cluster1
.
$ cat > sample-k10ClusterRoleBinding.yaml <<EOF
apiVersion: auth.kio.kasten.io/v1alpha1
kind: K10ClusterRoleBinding
metadata:
name: user1-cluster1
namespace: kasten-io-mc
spec:
k10ClusterRole: k10-multi-cluster-admin
clusters:
- name: cluster1
subjects:
- kind: User
apiGroup: rbac.authorization.k8s.io
name: user1
EOF
$ kubectl create -f sample-k10ClusterRoleBinding.yaml
k10clusterrolebinding.auth.kio.kasten.io/user1-cluster1 created
For service account
users, a prefix of
system:serviceaccount:<sa_namespace>:
is needed for adding such users.
The following example illustrates how to create a K10ClusterRoleBinding for
user sa1
, using k10-multi-cluster-admin
K10ClusterRole, for cluster
cluster1
.
$ cat > sample-k10ClusterRoleBinding.yaml <<EOF
apiVersion: auth.kio.kasten.io/v1alpha1
kind: K10ClusterRoleBinding
metadata:
name: sa1-cluster1
namespace: kasten-io-mc
spec:
k10ClusterRole: k10-multi-cluster-admin
clusters:
- name: cluster1
subjects:
- kind: User
apiGroup: rbac.authorization.k8s.io
name: system:serviceaccount:sa_namespace:sa1
EOF
$ kubectl create -f sample-k10ClusterRoleBinding.yaml
k10clusterrolebinding.auth.kio.kasten.io/sa1-cluster1 created
K10ClusterRoleBindings API Type
The following is a complete specification of the K10ClusterRoleBinding API.
# Standard Kubernetes API Version declaration. Required.
apiVersion: auth.kio.kasten.io/v1alpha1
# Standard Kubernetes Kind declaration. Required.
kind: K10ClusterRoleBinding
metadata:
# K10ClusterRoleBinding name. May be any valid Kubernetes object name. Required.
# K10ClusterRoleBinding name is not mutable once created.
name: k10ClusterRoleBinding-example
# K10ClusterRoleBinding names must be unique and as an alternative to name above
# one can take advantage of Kubernetes auto name generation
generateName: k10ClusterRoleBinding-
# K10ClusterRoleBinding namespace. Required.
# Must be k10 multi-cluster namespaces
namespace: kasten-io-mc
# K10ClusterRoleBinding spec. Required.
spec:
# k10ClusterRole name. Required
# Choose from existing k10ClusterRoles in the system.
# Can be oneOf k10-multi-cluster-admin, k10-multi-cluster-basic, k10-multi-cluster-config-view
k10ClusterRole: k10-multi-cluster-admin
# List of cluster selectors. Required.
# Either name or selector must be specified. To select all clusters, an
# empty selector may be used.
clusters:
- name: <cluster_name> # cluster1
- selector: <selector_string> # "foo=bar"
# List of subjects. Required.
# Either a user or groups
subjects:
- kind: User
apiGroup: rbac.authorization.k8s.io
name: user1
- kind: Groups
apiGroup: rbac.authorization.k8s.io
name: group1