Skip to content

Instantly share code, notes, and snippets.

@joshwget

joshwget/rbac.md

Last active May 4, 2017 21:43
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save joshwget/a29ac2c17706bac48d7ed51b2fa1473b to your computer and use it in GitHub Desktop.
Save joshwget/a29ac2c17706bac48d7ed51b2fa1473b to your computer and use it in GitHub Desktop.
Download ZIP
Rancher Kubernetes RBAC
Raw
rbac.md

Rancher integrates with the native RBAC functionality in Kubernetes.

Relationship to Rancher roles

Owners of an environment will be automatically given complete access to the cluster. All other users begin with no access to the cluster.

Removing a Rancher user from an environment will remove their access to the cluster.

Generating a kubeconfig

On the Kubernetes > CLI page there is a button that will generate a kubeconfig file. This file will allow you to access the Kubernetes cluster via kubectl and namespace-manager with the permission level associated with your user.

Managing with namespace-manager

namespace-manager is a simple CLI that supports three commands for managing RBAC at the namespace level. It can be downloaded from the releases page.

The kubeconfig flag can be used to point to the kubeconfig file used to access the cluster. The default is ~/.kube/config.

namespace-manager create will create a new namespace. For example, namespace-manager create dev will create a namespace named "dev".

namespace-manager add will add a user to an existing namespace with a specified role. For example, namespace-manager add example dev --role=edit will add user "example" to the dev namespace with the edit role.

There are three possible roles that can be given.

  • admin - Complete access to the namespace
  • edit - Access to write to most fields except for modifiying RBAC policies
  • view - Read-only access to the namespace

namespace-manager remove will revoke all of a user's access to a namespace. For example, namespace-manager remove example dev will take away the permissions given in the last command.

Managing namespaces with kubectl

Namespaces can also be managed directly with kubectl.

For example, the following manifest will give user "example" read access to the "qa" namespace.

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
 name: edit-qa
 namespace: qa
subjects:
 - kind: User
   name: example
roleRef:
 kind: ClusterRole
 name: edit
 apiGroup: rbac.authorization.k8s.io

This manifest can be applied by running kubectl apply -f <file>. If this file is later updated (possibly to add or remove a user) it can be reapplied with the same command. Kubernetes will determine the differences and make the necessary adjustments.

Known Issues

There are two known issues in the current implementation.

  1. The unsecured port of Kubernetes is still open within the Rancher network. This port is not subject to RBAC policies and so anyone connecting to it will have complete access to the cluster.
  2. Helm/Tiller do not yet support RBAC and so they have complete access to the cluster.
  3. Only local auth is currently supported.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment