TL;DR. I'd like to tie a role to a user, and then specify that the user can only access (read/write) cluster A, and not clusters B or C (A, B and C being all under the same Google Cloud project).
On Google Cloud, I have a project with multiple Kubernetes clusters (GKE-based) in it.
I need to add an auditor person to a particular Kubernetes cluster (and make sure he's not able to access other GKE clusters in the project).
So far I've created a "Auditor" role.
Now that I need to attach a role to a particular email account, I'm scratching my head. On the IAM Admin page I can tie a role to a particular email and resource type. But there's nothing that'd indicate I'm tying a role to a particular specific resource.
How do I make sure a particular user email can only access a particular GKE cluster?
Should tying a user to cluster be done from within the cluster A itself? (that'd imply that user won't see clusters B and C). If so, how?
you should apply a custom role that permits only the clusters listing and use RBAC feature of K8s to permit al the auditor tasks on the "A" cluster.
See this docs: https://kubernetes.io/docs/admin/authorization/rbac/
Related
We can check the service accounts in Kubernetes Cluster. Likewise, Is it possible to check the existing users and groups of my Kubernetes cluster with Cluster Admin privileges. If yes then how ? If no then why ?
NOTE: I am using EKS
Posting this as a community wiki, feel free to edit and expand.
This won't answer everything, however there are some concepts and ideas.
In short words there's no easy way. It's not possible to do using kubernetes itself. Reason for this is:
All Kubernetes clusters have two categories of users: service accounts
managed by Kubernetes, and normal users.
It is assumed that a cluster-independent service manages normal users
in the following ways:
an administrator distributing private keys
a user store like Keystone or Google Accounts
a file with a list of usernames and passwords
In this regard, Kubernetes does not have objects which represent normal
user accounts. Normal users cannot be added to a cluster through an
API call.
Source
More details and examples from another answer on SO
As for EKS part which is mentioned, it should be done using AWS IAM in connection to kubernetes RBAC. Below articles about setting up IAM roles in kubernetes cluster. Same way it will be possible to find which role has cluster admin permissions:
Managing users or IAM roles for your cluster
provide access to other IAM users and roles
If another tool is used for identity managing, it should be used (e.g. LDAP)
I recently built an EKS cluster w/ Terraform. In doing that, I Created 3 different roles on the cluster, all mapped to the same AWS IAM Role (the one used to create the cluster)
Now, when I try to manage the cluster, RBAC seems to use the least privileged of these (which I made a view role) that only has read-only access.
Is there anyway to tell config to use the admin role instead of view?
I'm afraid I've hosed this cluster and may need to rebuild it.
Some into
You don't need to create a mapping in K8s for an IAM entity that created an EKS cluster, because by default it will be mapped to "system:masters" K8s group automatically. So, if you want to give additional permissions in a K8s cluster, just map other IAM roles/users.
In EKS, IAM entities are used authentication and K8s RBAC are for authorization purposes. The mapping between them is set in aws-auth configMap in kube-system namespace,
Back to the question
I'm not sure, why K8s may have mapped that IAM user to the least privileged K8s user - it may be the default behaviour (bug?) or due to the mapping record (for view perms) being later in the CM, so it just re-wrote the previous mapping.
Any way, there is no possibility to specify a K8s user to use with such mapping.
Also, if you used eksctl to spin up the cluster, you may try creating a new mapping as per docs, but not sure if that will work.
Some reading reference: #1, #2
I am trying out the capability where 2 pods deployed to the same worker node in EKS are associated to different service accounts. Below are the steps
Each service account is associated to a different role one with access to SQS and other without access.
Used eksutil to associate OIDC provider with cluster and also created iamserviceaccount with service account in kubernetes and role with policy for accessing SQS attached (implicit annotation of service account with IAM role provided by eksctl create iamserviceaccount).
But when I try to start the pod which has service account tied to role with SQS access, I am getting access denied for SQS, however if I add SQS permissions to worker node instance role, its working fine.
Am I missing any steps and is my understanding correct?
So, there are a few things required to get IRSA to work:
There has to be an OIDC provider associated with the cluster, following the directions here.
The IAM role has to have a trust relationship with the OIDC provider, as defined in the AWS CLI example here.
The service account must be annotated with a matching eks.amazonaws.com/role-arn.
The pod must have the appropriate service account specified with a serviceAccountName in its spec, as per the API docs.
The SDK for the app needs to support the AssumeRoleWithWebIdentity API call. Weirdly, the aws-sdk-go-v2 SDK doesn't currently support it at all (the "old" aws-sdk-go does).
It's working with the node role because one of the requirements above isn't met, meaning the credential chain "falls through" to the underlying node role.
Kubernetes RBAC can be used to give permissions to a subject in a particular Namespace. Can the same be accomplished with Cloud IAM?
Not at the moment, no. IAM is used to assign and verify permissions when interacting with GCP APIs. IAM can only provide access to the GKE API, which does not take into account namespaces.
As you mentioned, RBAC is your option for more granular permissions within the cluster
If I got your point correctly that:
The IAM roles for a GKE kubernetes cluster are very simple, "Admin, Read/Write, Read".
But you need more fine-grained control over the kubernetes cluster.
In this case:
There's a new "Alpha" feature in Google Cloud's IAM which wasn't available previously.
Under IAM > Roles
You can now create custom IAM roles with your own subset of permissions.
You can create a minimal role which allows for example gcloud container clusters get-credentials to work, but nothing else, allowing permissions within the kubernetes cluster to be fully managed by RBAC.
It will allow you to get more fine-grained access configurations for kubernetes cluster.
I created a kubernetes cluster under my user account on IBM Bluemix, and added another into my organization. But he can't see my cluster. Is there any other configure?
To manage cluster access, see this link from the IBM Bluemix Container Service documentation. Summarised here:
Managing cluster access
You can grant access to your cluster to other users, so that they can
access the cluster, manage the cluster, and deploy apps to the
cluster.
Every user that works with IBM Bluemix Container Service must be
assigned a service-specific user role in Identity and Access
Management that determines what actions this user can perform.
Identity and Access Management differentiates between the following
access permissions.
IBM Bluemix Container Service access policies
Access policies determine the cluster management actions that you can
perform on a cluster, such as creating or removing clusters, and
adding or removing extra worker nodes.
Cloud Foundry roles
Every user must be assigned a Cloud Foundry user role. This role
determines the actions that the user can perform on the Bluemix
account, such as inviting other users, or viewing the quota usage. To
review the permissions of each role, see Cloud Foundry roles.
RBAC roles
Every user who is assigned an IBM Bluemix Container Service access
policy is automatically assigned an RBAC role. RBAC roles determine
the actions that you can perform on Kubernetes resources inside the
cluster. RBAC roles are set up for the default namespace only. The
cluster administrator can add RBAC roles for other namespaces in the
cluster. See Using RBAC Authorization in the
Kubernetes documentation for more information.