Gérer les accès pour les utilisateurs OKS

Cette page est à ce jour disponible en anglais uniquement.

OKS allows you to manage access to your Kubernetes clusters. You can grant user-specific access rights, temporary accesses and individual log traces.

Configuring User-Based Accesses

You can generate named kubeconfig files for your Kubernetes cluster. This allows you to manage the rights to the cluster per user, and to track individual actions in cluster access logs. The default value of this parameter is: kube-user.

Request sample
oks-cli cluster kubeconfig \
--project-name NAME_OF_PROJECT \
--cluster-name NAME_OF_CLUSTER \
--user user2 \
--print-path
shell

This command contains the following options that you need to specify:

  • cluster-name: The name of the cluster, with a maximum length of 40 alphanumeric characters and dashes (-). This name must not start or end with a dash, and it must be unique within the project.

  • (optional) project-name: The name of the project where the cluster will be created.

  • user: The name of the user.

To grant rights to the new user, you must apply the corresponding Role-based access control (RBAC) to the username, or apply one of the existing groups. For more information about RBAC, see the Kubernetes documentation.

Managing Rights for Groups

You can manage rights for different teams or roles in the project by assigning the corresponding RBAC-based groups to the generated kubeconfig files.

The default group is cluster-admin. It has full rights on the cluster, except for actions that are considered as dangerous.

Groups with names starting with system: and oks: are reserved for the cluster itself. Requests to get the related configurations will result in error.

Request sample
oks-cli cluster kubeconfig \
--project-name NAME_OF_PROJECT \
--cluster-name NAME_OF_CLUSTER \
--group "devops" \
--print-path
shell

This command contains the following options that you need to specify:

  • cluster-name: The name of the cluster, with a maximum length of 40 alphanumeric characters and dashes (-). This name must not start or end with a dash, and it must be unique within the project.

  • (optional) project-name: The name of the project where the cluster will be created.

  • group: The name of the group.

After getting your admin kubeconfig file, you can apply the required RBAC definitions and generate limited access rights.

Giving Access To a Single Namespace

  1. To grant access rights to a namespace, replace the following value in the RBAC YAML parameters:

    • namespace-admin: The name of the group you want to give rights to.

    • target-namespace: The namespace you are granting access to.

      ---
      # Service Account
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: namespace-admin
        namespace: target-namespace
      
      ---
      # Role definition with full permissions in the namespace
      apiVersion: rbac.authorization.k8s.io/v1
      kind: Role
      metadata:
        name: namespace-admin-role
        namespace: target-namespace
      rules:
        - apiGroups: ["*"]
          resources: ["*"]
          verbs: ["*"]
      
      ---
      # RoleBinding to bind the Role to the ServiceAccount
      apiVersion: rbac.authorization.k8s.io/v1
      kind: RoleBinding
      metadata:
        name: namespace-admin-binding
        namespace: target-namespace
      subjects:
      - kind: Group
        name: namespace-admin
        namespace: target-namespace
      roleRef:
        kind: Role
        name: namespace-admin-role
        apiGroup: rbac.authorization.k8s.io
      yaml
  2. Apply the manifest, then refresh the corresponding kubeconfig file:

    Request sample
    oks-cli cluster kubeconfig \
    --project-name NAME_OF_PROJECT \
    --cluster-name NAME_OF_CLUSTER \
    --group "namespace-admin" \
    --print-path \
    --refresh
    shell

Giving Read-Only Access

  1. To grant read-only access rights to a cluster, replace the following value in the RBAC YAML parameters:

    readonly-users: The name of the group you want to give rights to.

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: readonly
      labels:
        app.kubernetes.io/name: readonly
        app.kubernetes.io/part-of: rbac-system
    rules:
    - apiGroups: ["*"]
      resources: ["*"]
      verbs: ["get", "list", "watch"]
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: readonly-binding
      labels:
        app.kubernetes.io/name: readonly-binding
        app.kubernetes.io/part-of: rbac-system
    subjects:
    - kind: Group
      name: readonly-users
      apiGroup: rbac.authorization.k8s.io
    roleRef:
      kind: ClusterRole
      name: readonly
      apiGroup: rbac.authorization.k8s.io
    ---
    # Optional: ServiceAccount for programmatic access
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: readonly-service-account
      namespace: default
      labels:
        app.kubernetes.io/name: readonly-service-account
        app.kubernetes.io/part-of: rbac-system
    ---
    # Optional: RoleBinding for ServiceAccount
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: readonly-sa-binding
      labels:
        app.kubernetes.io/name: readonly-sa-binding
        app.kubernetes.io/part-of: rbac-system
    subjects:
    - kind: ServiceAccount
      name: readonly-service-account
      namespace: default
    roleRef:
      kind: ClusterRole
      name: readonly
      apiGroup: rbac.authorization.k8s.io
    yaml
  2. Apply the manifest, then generate the corresponding kubeconfig:

    Request sample
    oks-cli cluster kubeconfig \
    --project-name NAME_OF_PROJECT \
    --cluster-name NAME_OF_CLUSTER \
    --group "readonly-users" \
    --refresh
    shell

Pages connexes