Role-based access control authentication to Back Up and Restore a Kubernetes Cluster Heptio Ark

11/22/2019

when I'm installing ARK server and Velero for cluster backup, on that point of time it asks for the requirement of RBAC authentication. The authentication process showing an error, when we enter

kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user info.mail_id@gmail.com`

error

Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "info.mail_id@gmail.com" cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope

as given in this article here

-- saaya kasta
cloud
database-backups
docker
google-cloud-platform
kubernetes

2 Answers

11/22/2019

kubernetes doesnt have USER objects. You need to use certificates to to get authenticated and authorized with api server.

Generate certificate and sign it using cluster ca. build kubeconfig file. assign appropriate roles and rolebindings and using the kubeconfig you should be able to perform backup and restore using velero

Alternatively, download velero and using velero install command you can deploy velero into the k8s cluster

-- P Ekambaram
Source: StackOverflow

11/22/2019

It was already stated but I feel this needs more guidance.

  1. You need to create Certificates and sign them. Here you can find a useful tutorial regarding managing TLS certificates in a Cluster.

Kubernetes provides a certificates.k8s.io API, which lets you provision TLS certificates signed by a Certificate Authority (CA) that you control. These CA and certificates can be used by your workloads to establish trust.

  1. Use RBAC Authorization.

RBAC uses the rbac.authorization.k8s.io API Group to drive authorization decisions, allowing admins to dynamically configure policies through the Kubernetes API.

See API Overview for details regarding Roles and ClusterRoles as well as RoleBindings and ClusterRoleBindings.

In the RBAC API, a role contains rules that represent a set of permissions. Permissions are purely additive (there are no “deny” rules). A role can be defined within a namespace with a Role, or cluster-wide with a ClusterRole.

A role binding grants the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted. Permissions can be granted within a namespace with a RoleBinding, or cluster-wide with a ClusterRoleBinding.

  1. And in case you need some guideline regarding backup and restore using Velero (Heptio’s Ark) you may want to see this blog in addition to regular GitHub and official documentation.

I hope it helps.

-- OhHiMark
Source: StackOverflow