Kubernetes RBAC Integration

Kubernetes RBAC Integration

Overview

Kublr provides a convenient UI for Kubernetes RBAC management. This article described how access to certain Kubernetes namespaces can be restricted using this UI. A common use-case is to provide developers with read-only permissions to your production environment (aka namespace in Kubernetes).

Setup

  1. Open the Kublr Platform (or, if you don’t have one yet, create one. Please refer to Kublr installation manuals for instructions).
  2. Go to Keycloak. Open Keycloak Screen
  3. In the main Keycloak screen, go to “User” (left menu) and create a new user named “developer” (disable temporary, set email verified). Set a password and add the user to the read-only group named “KublrReadOnlyUsers”. Add_read_only
  4. Go to the Kublr UI, create a space, and name it “production”. Add_read_only
  5. Now, go to the Roles tab and add a new role. Add_role
  6. Specify the role parameters, as shown in these screenshots. Add_role Add_role Add_role
  7. On “KublrReadOnlyUsers,” click “add role binging” to assign the group (e.g., all users named “developer”) to the “production” space and grant them access. These users can now observe clusters in prod without being able to execute any actions. You can find more details about Kublr spaces here Kublr RBAC UI Add_role Add_role
  8. Now, switch to the “production” space (top-left menu) and create a cluster (refer to installation manuals for more information).
  9. Once you created a cluster in the “production” space, go to the cluster overview page and click on the “Open Web Console” link. This will open a terminal with the embedded kubectl. Use it to create a Kubernetes namespace and name it “production”. web_console
  10. In the newly created cluster, go to the ADMINISTRATION tab, which will allow you to manage Kubernetes RBAC.
  11. Use the ROLE BINDING sub-tab.
  12. Click ADD NEW ROLE BINDING. Add New Role Binding
  13. Fill in the parameters (namespace - production, select role - view), add a subject for the “KublrReadOnlyUsers” group, and assign it a Kubernetes role in Keycloak (and all users in the group). That way, all “developer” users will have a “view role” in the “production” namespace of the cluster. Add_role Add_role
  14. Now you’ll need to create an additional Kubernetes role binding to allow users to see all namespaces in the Kubernetes cluster, including those they don’t have access to. Go to “Roles” and create a new role. Then, assign that role to the subject “KublrReadOnlyUsers” Add_role Add_role

Your setup is ready. Logout as admin and in again as “developer”. Go to the cluster overview page and click on the “Open Dashboard” link. You’ll see a list of all resources under the “production” namespace. But if you try to delete something, you’ll get this message:

Add_role

Additionally, you won’t be able to list resources in any other namespace.

Add_role