f125a8b892
This change addresses a long-standing issue in rST documentation imported from XML.
That import process added backslash escapes in front of various characters. The three
most common being '(', ')', and '_'.
These instances are removed.
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
Change-Id: Id43a9337ffcd505ccbdf072d7b29afdb5d2c997e
293 lines
9.5 KiB
ReStructuredText
293 lines
9.5 KiB
ReStructuredText
|
|
.. vbz1578928340182
|
|
.. _private-namespace-and-restricted-rbac:
|
|
|
|
=====================================
|
|
Private Namespace and Restricted RBAC
|
|
=====================================
|
|
|
|
A non-admin type user typically does **not** have permissions for any
|
|
cluster-scoped resources and only has read and/or write permissions to
|
|
resources in one or more namespaces.
|
|
|
|
.. rubric:: |context|
|
|
|
|
.. note::
|
|
All of the |RBAC| resources for managing non-admin type users, although
|
|
they may apply to private namespaces, are created in **kube-system**
|
|
such that only admin level users can manager non-admin type users,
|
|
roles, and rolebindings.
|
|
|
|
The following example creates a non-admin service account called dave-user
|
|
with read/write type access to a single private namespace
|
|
\(**billing-dept-ns**).
|
|
|
|
.. note::
|
|
The following example creates and uses ServiceAccounts as the user
|
|
mechanism and subject for the rolebindings, however the procedure
|
|
equally applies to user accounts defined in an external Windows Active
|
|
Directory as the subject of the rolebindings.
|
|
|
|
.. rubric:: |proc|
|
|
|
|
#. If it does not already exist, create a general user role defining
|
|
restricted permissions for general users.
|
|
|
|
This is of the type **ClusterRole** so that it can be used in the
|
|
context of any namespace when binding to a user.
|
|
|
|
|
|
#. Create the user role definition file.
|
|
|
|
.. code-block:: none
|
|
|
|
% cat <<EOF > general-user-clusterrole.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
# "namespace" omitted since ClusterRoles are not namespaced
|
|
name: general-user
|
|
|
|
rules:
|
|
|
|
# For the core API group (""), allow full access to all resource types
|
|
# EXCEPT for resource policies (limitranges and resourcequotas) only allow read access
|
|
- apiGroups: [""]
|
|
resources: ["bindings", "configmaps", "endpoints", "events", "persistentvolumeclaims", "pods", "podtemplates", "replicationcontrollers", "secrets", "serviceaccounts", "services"]
|
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
|
- apiGroups: [""]
|
|
resources: [ "limitranges", "resourcequotas" ]
|
|
verbs: ["get", "list"]
|
|
|
|
# Allow full access to all resource types of the following explicit list of apiGroups.
|
|
# Notable exceptions here are:
|
|
# ApiGroup ResourceTypes
|
|
# ------- -------------
|
|
# policy podsecuritypolicies, poddisruptionbudgets
|
|
# networking.k8s.io networkpolicies
|
|
# admissionregistration.k8s.io mutatingwebhookconfigurations, validatingwebhookconfigurations
|
|
#
|
|
- apiGroups: ["apps", "batch", "extensions", "autoscaling", "apiextensions.k8s.io", "rbac.authorization.k8s.io"]
|
|
resources: ["*"]
|
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
|
|
|
# Cert Manager API access
|
|
- apiGroups: ["cert-manager.io", "acme.cert-manager.io"]
|
|
resources: ["*"]
|
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
|
|
|
EOF
|
|
|
|
#. Apply the definition.
|
|
|
|
.. code-block:: none
|
|
|
|
~(keystone_admin)$ kubectl apply -f general-user-cluster-role.yaml
|
|
|
|
|
|
#. Create the **billing-dept-ns** namespace, if it does not already exist.
|
|
|
|
.. code-block:: none
|
|
|
|
~(keystone_admin)$ kubectl create namespace billing-dept-ns
|
|
|
|
#. Create both the **dave-user** service account and the namespace-scoped
|
|
RoleBinding.
|
|
|
|
The RoleBinding binds the **general-user** role to the **dave-user**
|
|
ServiceAccount for the **billing-dept-ns** namespace.
|
|
|
|
|
|
#. Create the account definition file.
|
|
|
|
.. code-block:: none
|
|
|
|
% cat <<EOF > dave-user.yaml
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: dave-user
|
|
namespace: kube-system
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
type: kubernetes.io/service-account-token
|
|
metadata:
|
|
name: dave-user-sa-token
|
|
namespace: kube-system
|
|
annotations:
|
|
kubernetes.io/service-account.name: dave-user
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: dave-user
|
|
namespace: billing-dept-ns
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: general-user
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: dave-user
|
|
namespace: kube-system
|
|
EOF
|
|
|
|
#. Apply the definition.
|
|
|
|
.. code-block:: none
|
|
|
|
% kubectl apply -f dave-user.yaml
|
|
|
|
|
|
#. If the user requires use of the local docker registry, create an
|
|
openstack user account for authenticating with the local docker registry.
|
|
|
|
|
|
#. If a project does not already exist for this user, create one.
|
|
|
|
.. code-block:: none
|
|
|
|
% openstack project create billing-dept-ns
|
|
|
|
#. Create an openstack user in this project.
|
|
|
|
.. code-block:: none
|
|
|
|
% openstack user create --password P@ssw0rd \
|
|
--project billing-dept-ns dave-user
|
|
|
|
.. note::
|
|
Substitute a password conforming to your password formatting
|
|
rules for P@ssw0rd.
|
|
|
|
#. Create a secret containing these userid/password credentials for use
|
|
as an ImagePullSecret
|
|
|
|
.. code-block:: none
|
|
|
|
% kubectl create secret docker-registry registry-local-dave-user --docker-server=registry.local:9001 --docker-username=dave-user --docker-password=P@ssw0rd --docker-email=noreply@windriver.com -n billing-dept-ns
|
|
|
|
|
|
dave-user can now push images to registry.local:9001/dave-user/ and use
|
|
these images for pods by adding the secret above as an ImagePullSecret
|
|
in the pod spec.
|
|
|
|
#. If the user requires the ability to create persistentVolumeClaims in his
|
|
namespace, then execute the following commands to enable the rbd-provisioner
|
|
in the user's namespace.
|
|
|
|
|
|
#. Create an RBD namespaces configuration file.
|
|
|
|
.. code-block:: none
|
|
|
|
% cat <<EOF > rbd-namespaces.yaml
|
|
classes:
|
|
- additionalNamespaces: [default, kube-public, billing-dept-ns]
|
|
chunk_size: 64
|
|
crush_rule_name: storage_tier_ruleset
|
|
name: general
|
|
pool_name: kube-rbdkube-system
|
|
replication: 1
|
|
userId: ceph-pool-kube-rbd
|
|
userSecretName: ceph-pool-kube-rbd
|
|
EOF
|
|
|
|
#. Update the helm overrides.
|
|
|
|
.. code-block:: none
|
|
|
|
~(keystone_admin)$ system helm-override-update --reuse-values --values rbd-namespaces.yaml \
|
|
platform-integ-apps rbd-provisioner kube-system
|
|
|
|
#. Apply the application.
|
|
|
|
.. code-block:: none
|
|
|
|
~(keystone_admin)$ system application-apply platform-integ-apps
|
|
|
|
#. Monitor the system for the application-apply to finish
|
|
|
|
.. code-block:: none
|
|
|
|
~(keystone_admin)$ system application-list
|
|
|
|
#. Apply the secret to the new rbd-provisioner namespace.
|
|
|
|
.. code-block:: none
|
|
|
|
~(keystone_admin)$ kubectl get secret ceph-pool-kube-rbd -n default -o yaml | grep -v '^\s*namespace:\s' | kubectl apply -n <namespace> -f -
|
|
|
|
|
|
#. If this user requires the ability to use helm, do the following.
|
|
|
|
|
|
#. Create a ClusterRole for reading namespaces, if one does not already exist.
|
|
|
|
.. code-block:: none
|
|
|
|
% cat <<EOF > namespace-reader-clusterrole.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: namespace-reader
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["namespaces"]
|
|
verbs: ["get", "watch", "list"]
|
|
EOF
|
|
|
|
Apply the configuration.
|
|
|
|
.. code-block:: none
|
|
|
|
% kubectl apply -f namespace-reader-clusterrole.yaml
|
|
|
|
#. Create a RoleBinding for the tiller account of the user's namespace.
|
|
|
|
.. note::
|
|
|
|
.. xbooklink
|
|
|
|
The tiller account of the user's namespace **must** be named
|
|
'tiller'. See |sysconf-doc|: :ref:`Configure Remote Helm Client
|
|
for Non-Admin Users
|
|
<configure-remote-helm-client-for-non-admin-users>`.
|
|
|
|
.. code-block:: none
|
|
|
|
% cat <<EOF > read-namespaces-billing-dept-ns-tiller.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: read-namespaces-billing-dept-ns-tiller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: tiller
|
|
namespace: billing-dept-ns
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: namespace-reader
|
|
apiGroup: rbac.authorization.k8s.io
|
|
EOF
|
|
|
|
Apply the configuration.
|
|
|
|
.. code-block:: none
|
|
|
|
% kubectl apply -f read-namespaces-billing-dept-ns-tiller.yaml
|
|
|
|
|
|
|
|
..
|
|
.. rubric:: |postreq|
|
|
|
|
.. xbooklink
|
|
|
|
See |sysconf-doc|: :ref:`Configure Remote CLI Access
|
|
<configure-remote-cli-access>` for details on how to setup remote CLI
|
|
access using tools such as :command:`kubectl` and :command:`helm` for a
|
|
service account such as this.
|
|
|