How do I create groups in kubernetes? What are the default groups created in kubernetes?
In my kubernetes installation, this is the subject section of a ClusterRoleBinding:
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: default
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:default
- kind: ServiceAccount
name: default
namespace: kube-system
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:nodes
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: federation-system
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:federation-systemHow can I see the components of the groups "default" for example. kubectl get xxx? How can I create my own groups?
Any pointer to documentation specific to groups, not about RBAC or Authorization (I always fall in that k8s documentation and it does not explain groups) will be appreciated.
Thank you.
you dont create groups in Kubernetes, but the groups are defined in the Identity Provider.
For example I use Keystone from Openstack as the Identity provider. I use a Bearer Token to login, and Kubernetes validates the token connecting to Keystone, that answers with my username and my project UUID in Openstack. The project UUID is then the group in Kubernetes.
I can write the following:
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: Group
name: <openstack_project_uuid>
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.ioor if I want to use the User
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: <openstack_user_name>
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.ioProbably someone make post a similar answer with a LDAP example. I always used only Openstack Keystone. But I hope I answered your question.