User Authorization

Kubernetes API

To authorize users and groups against the Kubernetes API, the API Server relies on RBAC (Role-Based Access Control), through the use of special API objects:

• Roles and ClusterRoles, which define specific permissions on a set of API resources,

• RoleBindings and ClusterRoleBindings, which map a user or group to a set of Roles or ClusterRoles.

Note

MetalK8s includes pre-provisioned ClusterRoles. Platform administrators can create new Roles or ClusterRoles or refer to existing ones.

ClusterRoles

• Obtain the list of available ClusterRoles.

  root@bootstrap $ kubectl --kubeconfig /etc/kubernetes/admin.conf \
                       get clusterroles
  

• Describe a ClusterRole for more information.

  root@bootstrap $ kubectl --kubeconfig /etc/kubernetes/admin.conf \
                       describe clusterrole <name>
  

• The pre-provisioned static user admin@metalk8s.invalid is already bound to the cluster-admin ClusterRole, which grants cluster-wide permissions to all exposed APIs.

  root@bootstrap $ kubectl --kubeconfig /etc/kubernetes/admin.conf \
                       describe clusterrole cluster-admin
  Name:         cluster-admin
  Labels:       kubernetes.io/bootstrapping=rbac-defaults
  Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
  PolicyRule:
    Resources  Non-Resource URLs  Resource Names  Verbs
    ---------  -----------------  --------------  -----
    *.*        []                 []              [*]
               [*]                []              [*]
  

For more information on Kubernetes authorization mechanisms, refer to the RBAC documentation.

ClusterRoleBindings

To bind one or more users to an existing ClusterRole in all namespaces, follow this procedure.

1. Create a ClusterRoleBinding manifest (role_binding.yaml) from the following template.

   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: <role-binding-name-of-your-choice>
   subjects:
     - kind: User
       name: <email>
       apiGroup: rbac.authorization.k8s.io
   roleRef:
     kind: ClusterRole
     name: <target-cluster-role>
     apiGroup: rbac.authorization.k8s.io
   

2. Apply the manifest.

   root@bootstrap $ kubectl --kubeconfig /etc/kubernetes/admin.conf \
                      apply -f role_binding.yaml
   

To bind one or more groups to an existing ClusterRole in all namespaces, follow this procedure.

1. Create a ClusterRoleBinding manifest (role_binding.yaml) from the following template.

   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: <role-binding-name-of-your-choice>
   subjects:
     - kind: Group
       name: <group-name>
       apiGroup: rbac.authorization.k8s.io
   roleRef:
     kind: ClusterRole
     name: <target-cluster-role>
     apiGroup: rbac.authorization.k8s.io
   

2. Apply the manifest.

   root@bootstrap $ kubectl --kubeconfig /etc/kubernetes/admin.conf \
                      apply -f role_binding.yaml
   

Todo

• Describe differences between ClusterRoles and Roles, and between ClusterRoleBindings and RoleBindings

• List pre-installed (Cluster)Roles matching our “high-level UI roles” once created