Managing Accesses For OKS Users
OKS allows you to manage access to your Kubernetes clusters. You can grant user-specific access rights, temporary accesses and individual log traces.
Configuring User-Based Accesses
You can generate named kubeconfig files for your Kubernetes cluster.
This allows you to manage the rights to the cluster per user, and to track individual actions in cluster access logs. The default value of this parameter is: kube-user
.
$ oks-cli cluster kubeconfig \
--project-name NAME_OF_PROJECT \
--cluster-name NAME_OF_CLUSTER \
--user user2 \
--print-path
This command contains the following options that you need to specify:
-
cluster-name
: The name of the cluster, with a maximum length of 40 alphanumeric characters and dashes (-). This name must not start or end with a dash, and it must be unique within the project. -
(optional)
project-name
: The name of the project where the cluster will be created. -
user
: The name of the user.
To grant rights to the new user, you must apply the corresponding Role-based access control (RBAC) to the username, or apply one of the existing groups. For more information about RBAC, see the Kubernetes documentation.
Managing Rights for Groups
You can manage rights for different teams or roles in the project by assigning the corresponding RBAC-based groups to the generated kubeconfig files.
The default group is cluster-admin
. It has full rights on the cluster, except for actions that are considered as dangerous.
Groups with names starting with |
$ oks-cli cluster kubeconfig \
--project-name NAME_OF_PROJECT \
--cluster-name NAME_OF_CLUSTER \
--group "devops" \
--print-path
This command contains the following options that you need to specify:
-
cluster-name
: The name of the cluster, with a maximum length of 40 alphanumeric characters and dashes (-). This name must not start or end with a dash, and it must be unique within the project. -
(optional)
project-name
: The name of the project where the cluster will be created. -
group
: The name of the group.
After getting your admin kubeconfig file, you can apply the required RBAC definitions and generate limited access rights.
Giving Access To a Single Namespace
-
To grant access rights to a namespace, replace the following value in the RBAC YAML parameters:
-
namespace-admin
: The name of the group you want to give rights to. -
target-namespace
: The namespace you are granting access to.--- # Service Account apiVersion: v1 kind: ServiceAccount metadata: name: namespace-admin namespace: target-namespace --- # Role definition with full permissions in the namespace apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: namespace-admin-role namespace: target-namespace rules: - apiGroups: ["*"] resources: ["*"] verbs: ["*"] --- # RoleBinding to bind the Role to the ServiceAccount apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: namespace-admin-binding namespace: target-namespace subjects: - kind: Group name: namespace-admin namespace: target-namespace roleRef: kind: Role name: namespace-admin-role apiGroup: rbac.authorization.k8s.io
-
-
Apply the manifest, then refresh the corresponding kubeconfig file:
Request sample$ oks-cli cluster kubeconfig \ --project-name NAME_OF_PROJECT \ --cluster-name NAME_OF_CLUSTER \ --group "namespace-admin" \ --print-path \ --refresh
Giving Read-Only Access
-
To grant read-only access rights to a cluster, replace the following value in the RBAC YAML parameters:
readonly-users
: The name of the group you want to give rights to.apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: readonly labels: app.kubernetes.io/name: readonly app.kubernetes.io/part-of: rbac-system rules: - apiGroups: ["*"] resources: ["*"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: readonly-binding labels: app.kubernetes.io/name: readonly-binding app.kubernetes.io/part-of: rbac-system subjects: - kind: Group name: readonly-users apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: readonly apiGroup: rbac.authorization.k8s.io --- # Optional: ServiceAccount for programmatic access apiVersion: v1 kind: ServiceAccount metadata: name: readonly-service-account namespace: default labels: app.kubernetes.io/name: readonly-service-account app.kubernetes.io/part-of: rbac-system --- # Optional: RoleBinding for ServiceAccount apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: readonly-sa-binding labels: app.kubernetes.io/name: readonly-sa-binding app.kubernetes.io/part-of: rbac-system subjects: - kind: ServiceAccount name: readonly-service-account namespace: default roleRef: kind: ClusterRole name: readonly apiGroup: rbac.authorization.k8s.io
-
Apply the manifest, then generate the corresponding kubeconfig:
Request sample$ oks-cli cluster kubeconfig \ --project-name NAME_OF_PROJECT \ --cluster-name NAME_OF_CLUSTER \ --group "readonly-users" \ --refresh
Related Pages