Based on this documentation - https://docs.cloud.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengaboutaccesscontrol.htm I am trying to configure access to Kubernetes for an Oracle Cloud IAM group, but I can only successfully grant access for individual users.
Steps to reproduce (assumes compartment, cluster, OCI CLI and kubectl configured):
testgrouptestusertestuser into the group testgroupkubernetes_dev_accessAllow group testgroup to use clusters in compartment mycompartment---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubernetes_dev_access
rules:
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["create", "get", "update", "list", "delete", "watch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["create", "get", "update", "list", "delete", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes_dev_access_group
subjects:
- kind: Group
name: ocid1.group.oc1..aaaaaaaaabababababababababababababababababa
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: kubernetes_dev_access
apiGroup: rbac.authorization.k8s.ioThis should allow my user successfully list the pods :
kubectl get podsBut I get the following error :
Error from server (Forbidden): pods is forbidden: User "ocid1.group.oc1..aaaaaaaaabababababababababababababababababa" cannot list resource "pods" in API group "" in the namespace "mynamespace"The crucial lines seem to be :
- kind: Group
name: ocid1.group.oc1..aaaaaaaaabababababababababababababababababa
apiGroup: rbac.authorization.k8s.io
If I replace these lines with the following reference to the specific user it works, ie I get the list of pods :
- kind: User
name: ocid1.user.oc1..aaaaaaaaaxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyx
apiGroup: rbac.authorization.k8s.io
Any pointers gratefully appreciated, thanks.
OKE doesn't support groups yet in RBAC. You have to define individual users in RBAC policies.