RBAC Reference

For facilitating role-based access for users, K10 leverages Kubernetes ClusterRoles and Bindings. Currently, the K10 multi-cluster global manager is only available to admin users and requires additional RBAC roles and bindings.

K10-Multi-Cluster-Admin

The k10-mc-admin ClusterRole is added for Distributions, Cluster Config, K10 Config and Secrets access in the K10 multi-cluster namespace.

Note

k10-mc-admin will be installed under the name <release_name>-mc-admin. This ClusterRole is not configurable and is installed with K10.

The following is an example of the k10-mc-admin ClusterRole:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: k10-mc-admin
rules:
- apiGroups:
  - config.kio.kasten.io
  - dist.kio.kasten.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - secrets
  - configmaps
  verbs:
  - create
  - delete
  - get
  - list

K10-Multi-Cluster-Admin Binding

The k10-mc-admin ClusterRole needs a RoleBinding in the K10 multi-cluster namespace.

K10 creates a RoleBinding for a default Group k10:admins in the K10 multi-cluster namespace. Admin users can be added to this Group and will be able to use the above k10-mc-admin ClusterRole.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: k10-k10-mc-admin
  namespace: kasten-io-mc
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k10-mc-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: k10:admins

To bind the k10-mc-admin ClusterRole to a User, use the following command

$ kubectl create rolebinding <name> --clusterrole=k10-mc-admin \
    --namespace=kasten-io-mc \
    --user=<name>

The above kubectl command will create the following RoleBinding object

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: k10-k10-mc-admin
  namespace: kasten-io-mc
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k10-mc-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: k10-mc-admin

Alternatively, you can also bind the ClusterRole to a ServiceAccount.

$ kubectl create rolebinding <name> --clusterrole=k10-mc-admin \
    --namespace=kasten-io-mc \
    --serviceaccount=<serviceaccount_namespace>:<serviceaccount_name>

The above kubectl command will create the following RoleBinding object

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: k10-k10-mc-admin
  namespace: kasten-io-mc
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k10-mc-admin
subjects:
- kind: ServiceAccount
  name: k10-mc-admin
  namespace: kasten-io-mc