Linking Kubernetes user to Unix user

9/28/2018

I am using RBAC to restrict a user john to work and create resources only in their namespace test-namespace.

Here is what I've done:

1) Generate certificates for a user and create set-context

kubectl config set-credentials john --client-certificate=/home/john/.certs/employee.crt  --client-key=/home/john/.certs/employee.key
kubectl config set-context john-context --cluster=minikube --namespace=test-namespace --user=john

2) Create a Role to manage deployments in the namespace test-namespace.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: test-namespace
  name: deployment-authority
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["get", "create", "update", "patch", "delete"]

3) Create a RoleBinding.

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: deployment-authority-binding-john
  namespace: test-namespace
subjects:
- kind: User
  name: john
  apiGroup: ""
roleRef:
  kind: Role
  name: deployment-authority
  apiGroup: ""

Now all of the above works and I can run the command kubectl --context=john-context run --image busybox busybox without any issue.

Now I also have a Unix user on my Kubernetes Master node whose user name is john. My aim to make sure that when that user is logged in, he (john) can run commands allowed to him in his context john-context. I'm unable to link the UNIX user to the Kubernetes user.

Something like :

john@kubernet:/$ id
uid=1002(john) gid=1002(john) groups=1002(john)

john@kubernet:/$ kubectl get po -n test-namespace
NAME                       READY     STATUS    RESTARTS   AGE
grafana-67c6585fbd-tlr4n   1/1       Running   2          23h

But if I switch over to another user on my Unix machine, he/she should not be able to see anything or do anything in namespace test-namespace.

su - tom
tom@kubernet:/$ id
uid=1004(tom) gid=1004(tom) groups=1004(tom)
john@kubernet:/$ kubectl get po -n test-namespace
You are not allowed to view resources in this namespace

Any suggestions will be much appreciated.

--
kubernetes

1 Answer

9/28/2018

You can just manage this through your ~/.kube/config file on your users' home directories. Say in /home/john/.kube/config you would have something like this:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0xxxxxxxxo=
    server: https://172.1.1.1:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: default
    user: john
  name: john@kubernetes
current-context: john@kubernetes
kind: Config
preferences: {}
users:
- name: john
  user:
    client-certificate-data: LS0txxxxo=
    client-key-data: LS0xxxxx==

And then you'd make sure that file only has 600 permissions.

-- Rico
Source: StackOverflow