What is the best way we can add users to the kube system, or "kube", with limited authorizations? The kube currently contains two types of user, explored with $ kubectl get rolebindings
,
Before looking at new roles consider this message from a kubernetes discussion group member, "user management tends to get complicated quickly." Services like https://rancher.com/ exist for this reason and so a caution to keep things simple.
User authentication is currently handled with kube-generated certificates. note that authentication differs from authorization. A user name is embedded in a certificate and, basically, when a kube command is given with that certificate, the command is identified with that certificate's user. A downside of certificates is that they can't be revoked and must expire instead. Certificate authentication is probably OK for now.
Certificates are described here and a step-by-step for generating user certificates like the ones we use is here, at "Use case 1".
Resources are kube objects and are basically those things kube users create and interact with to get things done. Resources include things like "pods", "secrets", "services" and "cronjobs"
Namespaces are a way to divide resources between multiple users. Authorizations can be broadly applied to the resources within a specific namespace, sort of like a folder. Our kube has namespaces like "jobs" and "review-apps" that hold jobrunner and review-app resources. Many resources that aren't namespaced, including those used for CMS2, venom-api and the dt-integration-service.
Roles and ClusterRoles are rules that represent a set of additive permissions (there are no "deny" rules). Part of kube's "RBAC" Role Based Access Control system, Roles permit operations such as "get", "create", "update" and "delete" to be peformed on certain resources such as "pods", "deployments" and "secrets". Roles differ from ClusterRoles in that they must set permissions for a specific namespace. Both Roles and ClusterRoles can be defined for "Groups", such as a "manager" or "developer" group and are applied to lists of users through RoleBinding resources.
"Jennifer" needs to create, update and delete social-profile resources. She doesn't need access to the rest of the kube for things like deleting resources in the "database" namespace or creating new clusterroles. There are many ways to organize this but the suggestion here boils down to the following,
Having separated permissions, we give ourselves the ability to see and change details for specific users quickly. Surprisingly, Kube does not provide a way to practically list users or to view all Roles bound to a user. With this short-coming, how can we manage Users and Roles?
Note: Kube can be used to list Roles and RoleBindings, and those can be inspected individually to find user names, but doing this manually is slow and error prone.
An easy solution is use in-house naming-conventions not enforced by kube.
Use namespace-specific Roles and embed the namespace and role in the Role name. For example, social-profile:developer
or social-profile:admin
. When listing Roles, kube will group social-profile:
roles together to compactly show roles available to that namespace. Furthermore, we can create, modify and delete these roles without affecting other namespaces :),
social-profile:developer
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: social-profile:developer
rules:
- apiGroups: [""]
resources:
- pod
- service
- deployment
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
Use user-specific RoleBindings and embed the username and role name in the RoleBinding name. For example, jennifer@iconicengine.com:social-profile:developer
. When listing RoleBindings, kube will list the jennifer@iconicengine.com:
role bindings together showing all roles bound to that user. Listing these RoleBindings will also list the names of all users that have role bindings. We can create, modify and delete these rolebindings without affecting other users,
jennifer@iconicengine.com:social-profile:developer
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jennifer@iconicengine.com:social-profile:developer
namespace: social-profile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: social-profile:developer
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: jennifer@iconicengine.com
Following these conventions would allow us to create and delete users and roles without breaking things and quickly list users and namespace-roles. For example, these commands would be possible,
$ kubectl get clusterroles
NAME AGE
admin 2y356d
social-profile:developer 20d
social-profile:admin 20d
venom-api:developer 20d
venom-api:deployment 20d
venom-api:admin 20d
$ kubectl get rolebindings
NAME AGE
cdepauw@iconicengine.com:social-profile:admin 20d
cdepauw@iconicengine.com:venom-api:admin 20d
jennifer@iconicengine.com:social-profile:developer 33d
jennifer@iconicengine.com:venom-api:deployment 33d
jennifer@iconicengine.com:venom-api:developer 34d
$ kubectl get rolebindings | grep cdepauw
cdepauw@iconicengine.com:social-profile:admin 20d
cdepauw@iconicengine.com:venom-api:admin 20d