Rancher integrates with the native RBAC functionality in Kubernetes.
Owners of an environment will be automatically given complete access to the cluster. All other users begin with no access to the cluster.
Removing a Rancher user from an environment will remove their access to the cluster.
On the Kubernetes > CLI page there is a button that will generate a kubeconfig file. This file will allow you to access the Kubernetes cluster via kubectl
and namespace-manager
with the permission level associated with your user.
namespace-manager
is a simple CLI that supports three commands for managing RBAC at the namespace level. It can be downloaded from the releases page.
The kubeconfig
flag can be used to point to the kubeconfig file used to access the cluster. The default is ~/.kube/config
.
namespace-manager create
will create a new namespace. For example, namespace-manager create dev
will create a namespace named "dev".
namespace-manager add
will add a user to an existing namespace with a specified role. For example, namespace-manager add example dev --role=edit
will add user "example" to the dev namespace with the edit role.
There are three possible roles that can be given.
admin
- Complete access to the namespaceedit
- Access to write to most fields except for modifiying RBAC policiesview
- Read-only access to the namespace
namespace-manager remove
will revoke all of a user's access to a namespace. For example, namespace-manager remove example dev
will take away the permissions given in the last command.
Namespaces can also be managed directly with kubectl
.
For example, the following manifest will give user "example" read access to the "qa" namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: edit-qa
namespace: qa
subjects:
- kind: User
name: example
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
This manifest can be applied by running kubectl apply -f <file>
. If this file is later updated (possibly to add or remove a user) it can be reapplied with the same command. Kubernetes will determine the differences and make the necessary adjustments.
There are two known issues in the current implementation.
- The unsecured port of Kubernetes is still open within the Rancher network. This port is not subject to RBAC policies and so anyone connecting to it will have complete access to the cluster.
- Helm/Tiller do not yet support RBAC and so they have complete access to the cluster.
- Only local auth is currently supported.