I am currently setting up a cluster for a team. I've setup a hierarchial role based authentication. I've used the Kuberentes role API to define the roles. However, you can only restrict the CRUD operations for the roles.
How can I limit resources like cpu or memory based on roles?
EDIT:
Seems like there is no way to do that directly. Namespaces would have to be created for each role and then ResourceQuotas will have to be applied on them.
I think you need to use Resource Quotas Policy in Kubernetes.
Refer to this link - Resource Quotes
Create different namespace for each team. you should be using ResourceQuota to limit the resources at namepsace level.
Follow the link for help --> ResourceQuota in Kubernetes
Related
could you please support me in understanding how to configure the NetworkPolicy in order to set rule, that only predefined user's role may have access for specific pod (or service)?
I have begun with Kubernetes and read "Kebernetes in action", but didn't found any description how to do it. In general, this request is Authorisation task and only solution (i suppose) is to apply some kind of CustomResourceDefinition and create my own controller for manage the behaviour of CustomNetworkPolicy. Am I on right way, or is there any appropriate solution?
My microservices current equipped with authorisation on application level, but i need to move this task on cluster level. One of a reason is, i.e. I can orchestrate access of users without to change the source code of microservices.
I will be very thankful for some example or clarification
Using NetworkPolicy you can only manage the incoming and outgoing traffic to/from pods. For authorization, you can leverage service mesh which provides many more functionalities without changing your source code. The most famous one is istio (https://istio.io/docs/tasks/security/authorization/authz-http/), you can check more of them.
You could use RBAC to control your cluster access permissions.
This link show how you could use RBAC to restrict a namespace from a specific user.
It works perfectly if you need your pods have a limited access to other pods or resources. You could create a serviceAccount with defined permissions and link this account in your deployment, for example. See this link
References:
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
https://kubernetes.io/docs/reference/access-authn-authz/authorization/
I've a use-case for my REST-API. I'm deploying my REST service to kubernetes. So for Autoscaling my pod, I want to build Horizontal Pod Autoscaler based on custom-metrics like Request-Per-Second. So for that purpose we'll have to create a custom-metrics-adapter like this https://github.com/banzaicloud/banzai-charts/tree/master/kube-metrics-adapter.
But the problem that I'm facing, I don't have access to create any ClusterRole or creating APIService. I just want to know can we deploy this kube-metrics-adapter API at namespace level to which I've access, so that it can provide custom-metrics to HPA. Is it necessary to have this adapter at cluster level?
Looking at the chart, the RBAC templates are hard-coded to use clusterroles. You can't install this chart if tiller doesn't have cluster-level access. You could try modifying the chart to be namespace scoped, but you'll probably need some level of permissions to the metrics API to register your custom metrics.
Ask a cluster admin if you can get the clusterroles put in?
I have an application that is going to monitor and if necessary scale other resources. At the moment I am using the cluster-admin tokens for it to access the k8s api but I want to limit its access to just monitor and scale.
I know that I need to use Role and Rolebinding for this but I have two questions:
Can I use just one user and bind it to a role in different namespaces? I need to run multiple instances of my application in different namespaces on a cluster
Is there a way to create a new k8s user via yaml file and use that to bind the role?
At the end if I am using a wrong approach please let me know because I am somehow newbie in RBAC.
You seem to have the right approach.
Have a look at the documentation: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
From experience always leave resources that are linked inside the same namespace, one user with one clusterrole and rolebinding.
Still in the case of rolebinding, they are not namespaced so you should be able to bind one user by namespace to a single clusterrole. Never tested it myself so you will have to do some testing.
There is still the question of why not just create a single app, with a serviceaccount having access to all namespaces and so one app deployed in a namespace will be able to access all the resources it needs to managed in all the cluster?
Is it possible to have multiple rolebindings on the same service account in k8s?
yes, you can have multiple role bindings for a specific service account.
say, you want to grant read only permissions to SA at cluster level, and read and write permissions at namespace level. in this case you will be creating one role binding at namespace level and another at cluster level
Pardon me for my limited knowledge of k8s. As per k8s best practices we need to run pods in non default namespace. few reasons for this approach is to.
create logical isolation and creating uat, sit,dev environment on
same k8s cluster
default namespace is ok when we are having less than
10 micro services running in same PODs.
do we have any other benefits in terms of security, performance and maintenance point of view?
I would say the best practice is to think about how you will use your cluster and take namespaces into account. So thinking about what you'll run in the cluster, how much resource you want to dedicate to it and who can do what. Namespaces can help with controlling all of these things.
In terms of what you run, it's important that kubernetes object names have to be unique within a namespace. So if you want to run two instances of the same app, then you either install them in different namespaces or distinguish the resource names - helm charts for example default to adding prefixes to ensure uniqueness.
Also role-based access control permissions can be set as namespace-specific and resource usage quotas can be applied to namespaces. So if you had adev namespace on the same cluster as UAT then you could ensure that permissions are more restricted on UAT and that it has more resource availability guaranteed for it.
For more on these points see https://dzone.com/articles/kubernetes-namespaces-explained and https://kubernetes.io/blog/2016/08/kubernetes-namespaces-use-cases-insights/