Kubernetes RBAC integration and Kublr

Kubernetes RBAC integration and Kublr

Overview

When using Kublr’s UI administrator, access to certain Kubernetes namespaces can be restricted. A common use case is to provide developers with read-only permissions to your production environment (aka namespace in Kubernetes).

Setup

Open the Kublr Platform (or, if you don’t have one yet, create one. Please refer to our installation for guidance).

Go to Keycloak Open Keycloak Screen

On the main Keycloak screen, go to “User” (left menu) and create a new user named “developer” (disable temporary, set email verified). Set a password and add the user to the read-only group named “KublrReadOnlyUsers”. Add_read_only

Go to the Kublr UI, create a space, and name it “production”. Add_read_only

Now, go to the Roles tab and add a new role. Add_role

Specify the role parameters, as shown in these screenshots.

Add_role Add_role Add_role

On “KublrReadOnlyUsers,” click “add role binging” to assign the group (e.g., all users named “developer”) to the “production” space and grant them access. These users can now observe clusters in prod without being able to execute any actions. You can find more details about Kublr spaces here Kublr RBAC UI

Add_role Add_role

Now, switch to the “production” space (top-left menu) and create a cluster Installation.

Once you created a cluster in the “production” space, go to the cluster overview page and click on the “Open Web Console” link. This will open a terminal with the embedded kubectl. Use it to create a Kubernetes namespace and name it “production”. web_console

In the newly created cluster, go to the “Administration” tab, which will allow you to manage Kubernetes RBAC. Open “Role Binding” and click “Add new role binding”.

Add_role

Fill in the parameters (namespace - production, select role - view), add a subject for the “KublrReadOnlyUsers” group, and assign it a Kubernetes role in Keycloak (and all users in the group). That way, all “developer” users will have a “view role” in the “production” namespace of the cluster.

Add_role Add_role

Now you’ll need to create an additional Kubernetes role binding to allow users to see all namespaces in the Kubernetes cluster, including those they don’t have access to. Go to “Roles” and create a new role. Then, assign that role to the subject “KublrReadOnlyUsers”

Add_role Add_role

Your setup is ready. Logout as admin and in again as “developer”. Go to the cluster overview page and click on the “Open Dashboard” link. You’ll see a list of all resources under the “production” namespace. But if you try to delete something, you’ll get this message:

Add_role

Additionally, you won’t be able to list resources in any other namespace.

Add_role