K
Q

Kubernetes authorization via local groups

4/29/2020

everyone.

I'm wondering is there an option to authorize users to access kubernetes objects via local groups?

Like currently I'm doing this:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: example-rolebinding
  namespace: mynamespace
subjects:
- kind: User
  name: example-user1 # member of local unix group "authorized"
  apiGroup: rbac.authorization.k8s.io
- kind: User
  name: example-user2 # member of local unix group "authorized"
  apiGroup: rbac.authorization.k8s.io
- kind: User
  name: example-user3 # member of local unix group "authorized"
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: example-role
  apiGroup: rbac.authorization.k8s.io

And I am trying to do it this way:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: example-rolebinding
  namespace: mynamespace
subjects:
- kind: Group
  name: authorized
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: example-role
  apiGroup: rbac.authorization.k8s.io

Is there any option? Or I want too much from K8S and need to develop something on my own?

Thanks

-- Pavel Perminov
authorization
kubernetes
linux
rbac

Similar Questions

is there any way to batch restart deployment to apply config change in kubernetes v1.15.2
Helm template: How raise exception in in helm function?
Istio Sidecar proxy fails to start due to Invalid path on certs mTLS
Cannot use BackendConfig on GKE

1 Answer

4/29/2020

Groups are kind of an opaque construct between the authentication layer and the rbac system. Whichever authn plugin you are using can tag the request with a username and any number of groups, and then rbac will use them. But k8s itself doesn’t know what a user or group really is. So tldr it’s up to your authn configuration and plugin.

-- coderanger
Source: StackOverflow