Configure Kubernetes users#

During the Kubernetes cluster deployment, Rackspace KaaS automatically creates an OpenStack role called <cluster-name>-cluster-admins and a role binding that grants all OpenStack users with this role super-user privileges over the Kubernetes cluster. By default, one user is added to that group. If you need to have users with different sets of permissions, you can create a new OpenStack role and map it to a Kubernetes role with the required access. For more information about Kubernetes roles, see User-facing roles.

For example, you might need to create a user with administrative permissions in a specific namespace and disable access to other namespaces for that user. Follow the instructions in this section to configure access to your Kubernetes cluster for non-admin users.

Create a namespace#

In a Kubernetes cluster, namespaces provide a logical layer of isolation between users and groups of users. Namespaces enable you to assign resource quotas and security limits to your workloads and users, as well as establish organizational, procedural, and security boundaries.

To create a Kubernetes namespace, run the following commands:

  1. Create a namespace:

    $ kubectl create namespace foo-dev
      namespace "foo-dev" created
    
  2. Optionally, define a NetworkPolicy for the namespace.

    See Configure network policies. Although, this step is optional, a network policy ensures an additional level of security in a multi-tenant environment.

Create an OpenStack role#

By default, Rackspace KaaS creates an administrative cluster role for your Kubernetes cluster. You need to create a separate OpenStack role for normal OpenStack users who do not have cluster-wide super-user privileges.

To create an OpenStack role, complete the following steps:

  • Using the OpenStack Dashboard:

    1. Log in to the OpenStack Dashboard as administrator.
    2. Navigate to Identity > Roles.
    3. Click +Create Role.
    4. Type a name for the role, such as kubernetes-users.
    5. Click Create Role.
  • Using OpenStackClient:

    # openstack role create test-kubernetes-users
    

    Example of system response:

    +-----------+----------------------------------+
    | Field     | Value                            |
    +-----------+----------------------------------+
    | domain_id | None                             |
    | id        | 6ebda45945a743c58a0f56b93b08d9a6 |
    | name      | test-kubernetes-users            |
    +-----------+----------------------------------+
    

Assign the role to an OpenStack user#

You need to create OpenStack users who can access the Kubernetes cluster and assign a primary project and the role created in previous section to that user. When you assign a primary project to an OpenStack user, the user gets the corresponding privileges in that project. Therefore, the user might be able to log in to that project in the OpenStack Dashboard, view resources, modify parameters of the OpenStack project, and perform other actions. If you do not want the user to have access to the OpenStack project associated with the Kubernetes cluster and only have access to the Kubernetes cluster itself, you need to first create an empty OpenStack project and then select that project as user’s primary project. If you do not assign any primary project, then the users might not be able to execute some of the necessary administrative actions, such as changing their OpenStack password and so on. To modify the primary project and the role for existing users, use the following OpenStackCLient commands.

To create a user and assign a role to the user, complete the following steps:

  • Using OpenStack Dashboard:

    1. Log in to the OpenStack Dashboard as administrator.
    2. Navigate to Identity > Users.
    3. Click +Create User.
    4. Fill in the fields as needed ensuring the following fields have these values:
      • Role: <your-role>
      • Primary Project: <your-openstack-project>
    5. Click Create User.
  • Using OpenStackClient:

    1. Create a user:

      $ openstack user create --project <openstack-projectID> --password <password> <username>
      

      Example of system response:

      +---------------------+----------------------------------+
      | Field               | Value                            |
      +---------------------+----------------------------------+
      | default_project_id  | ca2702e933be45238c481c72f44a1c90 |
      | domain_id           | default                          |
      | enabled             | True                             |
      | id                  | aeb87e7112cd4fd29e5f753ecff4154d |
      | name                | test                             |
      | password_expires_at | None                             |
      +---------------------+----------------------------------+
      
    2. Obtain the user ID:

      # openstack user list
      

      Note

      You must use the credentials for this OpenStack password to be be able to run some of these commands. If you get the following error, see Perform OpenStack operations from your local machine: You are not authorized to perform the requested action.

    3. Obtain the role ID:

      # openstack role list
      
    4. Obtain the OpenStack project ID:

      # openstack project list
      
    5. Map the user to the specific role and project:

      # openstack role add --project <projectID> --user <userID> <roleID>
      

Map an OpenStack user role to a Kubernetes role#

After you have created an OpenStack role and OpenStack users, you can map that role to a Kubernetes role to grant OpenStack users a required set of permissions in a selected namespace. You can do so by either creating a role binding manually as described in Role binding or using the KaaS Control Panel.

To create a role binding using the control panel, complete the following steps:

  1. Log in to the KaaS Control Panel as an OpenStack administrator for the required cluster.
  2. In the left navigation menu, verify that you are displaying the dashboard for the required Kubernetes cluster. If you have only one cluster, you should see My cluster.
  3. In the Administration menu, click Namespaces.
  4. Select a namespace in which you want to create an access rule. For example, default.
  5. Click Add Access Rule.
  6. In the New access rule field, type a name for the new rule.
  7. In the Choose a group field, select the rule you have created in Create an OpenStack role.
  8. In the Choose a role field, select a Kubernetes role.

You can select from the following options:

  • cluster-admin - enables super-user access to all resources in the Kubernetes cluster.
  • admin - enables read and write access to most operations in the namespace, except for creating resource quotas or modifying the namespace itself.
  • edit - enables read and write access to most operations, except for creating and modifying roles and role bindings.
  • view - enables read access to most objects, except for the roles, role bindings, and secrets.

For more information about Kubernetes roles, see User-facing roles.

Role binding#

Role bindings enable users from third-party systems, such as OpenStack, to access your Kubernetes cluster. For example, you can give the user administrative privileges in the created namespace by configuring a RoleBinding:

$ kubectl create -f- <<EOF
  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    namespace: foo-dev
    name: foo-admin
  roleRef:
    kind: ClusterRole
    name: admin
    apiGroup: rbac.authorization.k8s.io
  subjects:
  - kind: User
    name: foo
    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: system:serviceaccounts:foo-dev
    apiGroup: rbac.authorization.k8s.io
  EOF
  rolebinding "foo-admin" created

The user foo now has the predefined Kubernetes admin role within foo-dev, which permits the creation of all resources inside of foo-dev. The user is restricted from creating resources outside of the foo-dev namespace, as well as from using certain Pod features, which is described in Configure Pod security policies. The user can download the kubeconfig file from the KaaS Control Panel to access the cluster API.

For more information about role bindings, see Kubernetes documentation.