Managing Accesses For OKS Users

OKS allows you to manage access to your Kubernetes clusters. You can grant user-specific access rights, temporary accesses and individual log traces.

Configuring User-Based Accesses

You can generate named kubeconfig files for your Kubernetes cluster. This allows you to manage the rights to the cluster per user, and to track individual actions in cluster access logs. The default value of this parameter is: kube-user.

Request sample
$ oks-cli cluster kubeconfig \
  --project-name NAME_OF_PROJECT \
  --cluster-name NAME_OF_CLUSTER \
  --user user2 \
  --print-path

This command contains the following options that you need to specify:

  • cluster-name: The name of the cluster, with a maximum length of 40 alphanumeric characters and dashes (-). This name must not start or end with a dash, and it must be unique within the project.

  • (optional) project-name: The name of the project where the cluster will be created.

  • user: The name of the user.

To grant rights to the new user, you must apply the corresponding Role-based access control (RBAC) to the username, or apply one of the existing groups. For more information about RBAC, see the Kubernetes documentation.

Managing Rights for Groups

You can manage rights for different teams or roles in the project by assigning the corresponding RBAC-based groups to the generated kubeconfig files.

The default group is cluster-admin. It has full rights on the cluster, except for actions that are considered as dangerous.

Groups with names starting with system: and oks: are reserved for the cluster itself. Requests to get the related configurations will result in error.
Request sample
$ oks-cli cluster kubeconfig \
  --project-name NAME_OF_PROJECT \
  --cluster-name NAME_OF_CLUSTER \
  --group "devops" \
  --print-path

This command contains the following options that you need to specify:

  • cluster-name: The name of the cluster, with a maximum length of 40 alphanumeric characters and dashes (-). This name must not start or end with a dash, and it must be unique within the project.

  • (optional) project-name: The name of the project where the cluster will be created.

  • group: The name of the group.

After getting your admin kubeconfig file, you can apply the required RBAC definitions and generate limited access rights.

Giving Access To a Single Namespace

  1. To grant access rights to a namespace, replace the following value in the RBAC YAML parameters:

    • namespace-admin: The name of the group you want to give rights to.

    • target-namespace: The namespace you are granting access to.

      ---
# Service Account
apiVersion: v1
kind: ServiceAccount
metadata:
  name: namespace-admin
  namespace: target-namespace

---
# Role definition with full permissions in the namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: namespace-admin-role
  namespace: target-namespace
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

---
# RoleBinding to bind the Role to the ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-admin-binding
  namespace: target-namespace
subjects:
- kind: Group
  name: namespace-admin
  namespace: target-namespace
roleRef:
  kind: Role
  name: namespace-admin-role
  apiGroup: rbac.authorization.k8s.io

  2. Apply the manifest, then refresh the corresponding kubeconfig file:

    Request sample
    $ oks-cli cluster kubeconfig \
  --project-name NAME_OF_PROJECT \
  --cluster-name NAME_OF_CLUSTER \
  --group "namespace-admin" \
  --print-path \
  --refresh

Giving Read-Only Access

  1. To grant read-only access rights to a cluster, replace the following value in the RBAC YAML parameters:

    readonly-users: The name of the group you want to give rights to.

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: readonly
  labels:
    app.kubernetes.io/name: readonly
    app.kubernetes.io/part-of: rbac-system
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: readonly-binding
  labels:
    app.kubernetes.io/name: readonly-binding
    app.kubernetes.io/part-of: rbac-system
subjects:
- kind: Group
  name: readonly-users
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: readonly
  apiGroup: rbac.authorization.k8s.io
---
# Optional: ServiceAccount for programmatic access
apiVersion: v1
kind: ServiceAccount
metadata:
  name: readonly-service-account
  namespace: default
  labels:
    app.kubernetes.io/name: readonly-service-account
    app.kubernetes.io/part-of: rbac-system
---
# Optional: RoleBinding for ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: readonly-sa-binding
  labels:
    app.kubernetes.io/name: readonly-sa-binding
    app.kubernetes.io/part-of: rbac-system
subjects:
- kind: ServiceAccount
  name: readonly-service-account
  namespace: default
roleRef:
  kind: ClusterRole
  name: readonly
  apiGroup: rbac.authorization.k8s.io

  2. Apply the manifest, then generate the corresponding kubeconfig:

    Request sample
    $ oks-cli cluster kubeconfig \
  --project-name NAME_OF_PROJECT \
  --cluster-name NAME_OF_CLUSTER \
  --group "readonly-users" \
  --refresh

Related Pages

Export to PDF