I am using RBAC to restrict a user john
to work and create resources only in their namespace test-namespace
.
Here is what I've done:
1) Generate certificates for a user and create set-context
kubectl config set-credentials john --client-certificate=/home/john/.certs/employee.crt --client-key=/home/john/.certs/employee.key
kubectl config set-context john-context --cluster=minikube --namespace=test-namespace --user=john
2) Create a Role to manage deployments in the namespace test-namespace
.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: test-namespace
name: deployment-authority
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "create", "update", "patch", "delete"]
3) Create a RoleBinding.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: deployment-authority-binding-john
namespace: test-namespace
subjects:
- kind: User
name: john
apiGroup: ""
roleRef:
kind: Role
name: deployment-authority
apiGroup: ""
Now all of the above works and I can run the command kubectl --context=john-context run --image busybox busybox
without any issue.
Now I also have a Unix user on my Kubernetes Master node whose user name is john. My aim to make sure that when that user is logged in, he (john) can run commands allowed to him in his context john-context
. I'm unable to link the UNIX user to the Kubernetes user.
Something like :
john@kubernet:/$ id
uid=1002(john) gid=1002(john) groups=1002(john)
john@kubernet:/$ kubectl get po -n test-namespace
NAME READY STATUS RESTARTS AGE
grafana-67c6585fbd-tlr4n 1/1 Running 2 23h
But if I switch over to another user on my Unix machine, he/she should not be able to see anything or do anything in namespace test-namespace
.
su - tom
tom@kubernet:/$ id
uid=1004(tom) gid=1004(tom) groups=1004(tom)
john@kubernet:/$ kubectl get po -n test-namespace
You are not allowed to view resources in this namespace
Any suggestions will be much appreciated.
You can just manage this through your ~/.kube/config
file on your users' home directories. Say in /home/john/.kube/config
you would have something like this:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0xxxxxxxxo=
server: https://172.1.1.1:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: default
user: john
name: john@kubernetes
current-context: john@kubernetes
kind: Config
preferences: {}
users:
- name: john
user:
client-certificate-data: LS0txxxxo=
client-key-data: LS0xxxxx==
And then you'd make sure that file only has 600
permissions.