Configure users, roles, and groups#

Rackspace Kubernetes-as-a-Service (KaaS) uses role-based access control (RBAC) to regulate access to resources within a Kubernetes cluster. A User, Group, or ServiceAccount is bound to a Role that defines the permissions for the user within the cluster or namespace.

Add a user with cluster-wide privileges#

By default, Rackspace KaaS is shipped with the cluster-admin Kubernetes superuser preconfigured. Depending on your environment requirements, you might need to add users with different sets of permissions. Kubernetes RBAC enables you to configure users with read-write, read-only, and namespace admin permissions. For more information, see User-facing roles.

To add a user with cluster-wide privileges, complete the following steps:

  1. Create an OpenStack user as described in Isolate a user to a specific namespace.

  2. Create an OpenStack role by using the Horizon Dashboard or OpenStack CLI:

    # openstack role create k8s-view
      +-----------+----------------------------------+
      | Field     | Value                            |
      +-----------+----------------------------------+
      | domain_id | None                             |
      | id        | f544dcf25bc047398d3a8581fc907f51 |
      | name      | k8s-view                         |
      +-----------+----------------------------------+
    
  3. Assign the OpenStack role to the user by using the Horizon Dashboard or OpenStack CLI:

    # openstack role add --project <projectID> --user <userID> f544dcf25bc047398d3a8581fc907f51
    
  4. Give the user RBAC view privileges by configuring a ClusterRoleBinding, by using the role ID from the previous output in the Group section:

    $ kubectl create -f- <<EOF
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        name: "rackspace:view"
      subjects:
      - kind: Group
        apiGroup: rbac.authorization.k8s.io
        name: f544dcf25bc047398d3a8581fc907f51
      roleRef:
        kind: ClusterRole
        name: view
        apiGroup: rbac.authorization.k8s.io
      EOF
      clusterrolebinding "rackspace:view" created