K
Q

Kubernetes - dynamic namespaces / security

10/5/2018

user1 and user2 have been assigned "admin" role in K8s cluster where they can only work within the namepsace they are assigned. In the case below, ns1 and ns2 respectively

user1 --> assigned namespace ns1

user2 --> assigned namespace ns2

user3 --> assigned namespace ns3 and also have namespace-admin role assigned. namespace-admin role (user3) should be able to create any resource in namespace ns3 and any new namespaces he creates in the cluster. This role should have ability to dynamically create new namespaces. But user3 should NOT have access to ns1 or ns2 namespaces which is not created by user "user3".

user3 will be dynamically creating new namespaces and deploying workloads in those namespaces.

Can this be addressed ? This is similar to Openshift "Projects" concept.

-- AsvinChandar
dynamic
kubernetes
namespaces
security

Similar Questions

Can you auto destroy a kubernetes pod deployment?
Setting nested data structures from helm command line?
pod has unbound PersistentVolumeClaims
Use a service's external IP as an environment variable to a deployment

2 Answers

10/5/2018

user3 should be able to create any resource in namespace ns3 and any new namespaces he creates in the cluster.

To achieve dynamic permissions, you'd need a component granting user 3 permissions in the namespaces they create (which is what the openshift projects API handler does)

-- Jordan Liggitt
Source: StackOverflow
10/5/2018

Yes, you can restrict user3 to create/delete resources only in the namespace ns3 using a Role bind that role to user3.

Then you can use ClusterRole with only access to the namespaces resource and allow it to create, delete, etc

Something like this:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: my-namespace
  name: user-namespace-role
rules:
- apiGroups: [""]
  resources: ["services", "endpoints", "pods"] # etc...
  verbs: ["get", "list", "create"] # etc

Then:

kubectl create rolebinding user-namespace-binding --role=user-namespace-role --user=user3 --namespace=my-namespace

Then:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cluster-role-all-namespaces
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # etc

Then:

kubectl create clusterrolebinding all-namespaces-binding --clusterrole=cluster-role-all-namespaces --user=user3

For user1 and user2 you can create a Role and RoleBinding for their unique namespaces.

-- Rico
Source: StackOverflow