Configure Kubernetes users#

To simplify the management of users within Kubernetes, Rackspace has mapped Kubernetes authentication to pull from the OpenStack Identity service (keystone) giving an organization a single place to manage users for OpenStack and Kubernetes.

By default, Rackspace KaaS configures a single OpenStack role called <cluster-name>-cluster-admins which grants super-user privileges to the entire Kubernetes cluster. To add additional permissions for your organization, you need to create new roles and map them appropriately.

For more information about Kubernetes role-based access control (RBAC), see the upstream documentation: User-facing roles.

The example in this section walks you through the creation of a new Kubernetes namespace, the creation of a new Kubernetes role with admin privileges to that namespace, and assigning that role to an OpenStack user. One use case for this example is granting your developers admin privileges to a specific namespace devoted only to testing and development purposes. Follow the instructions in this section to configure a new namespace and enable admin access to it for users.

Create an OpenStack role#

First, configure the OpenStack portions of this use case, starting with creating the role in OpenStack. The role gives the user permissions to interact with the resources in a particular project.

If you are unfamiliar with keystone, see the upstream OpenStack Identity service documentation

Create the OpenStack role or use an existing role, and note the role’s ID.

To create an OpenStack role, complete the following steps:

  • Using the OpenStack Dashboard, complete these steps:

    1. Log in to the OpenStack Dashboard as administrator.
    2. Navigate to Identity > Roles.
    3. Click +Create Role.
    4. Type a name for the role, such as kubernetes-users.
    5. Click Create Role.
  • Using the OpenStackClient, complete these steps:

    # openstack role create test-kubernetes-users
    

    Example of system response:

    +-----------+----------------------------------+
    | Field     | Value                            |
    +-----------+----------------------------------+
    | domain_id | None                             |
    | id        | 6ebda45945a743c58a0f56b93b08d9a6 |
    | name      | test-kubernetes-users            |
    +-----------+----------------------------------+
    

Create a user and assign the role#

After you create the role as described in Create an OpenStack role, you need to create a new user and assign that user to a project and the desired role.

Note

OpenStack users are assigned to a particular project. Each project owns a set of resources such as compute, storage, and so on. You need to assign each newly created user to a pre-existing primary project. If you want this user to have access only to the Kubernetes cluster, you can use the provided Kubernetes project or create a new empty project.

To create a user and assign a role to the user, complete the following steps:

  • Using the OpenStack Dashboard, complete these steps:

    1. Log in to the OpenStack Dashboard as administrator.
    2. Navigate to Identity > Users.
    3. Click +Create User.
    4. Fill in the fields as needed ensuring the following fields have these values:
      • Role: <your-role>
      • Primary Project: <your-openstack-project>
    5. Click Create User.
  • Using the OpenStackClient, complete these steps:

    1. Create a user:

      $ openstack user create --project <openstack-projectID> --password <password> <username>
      

      Example of system response:

      +---------------------+----------------------------------+
      | Field               | Value                            |
      +---------------------+----------------------------------+
      | default_project_id  | ca2702e933be45238c481c72f44a1c90 |
      | domain_id           | default                          |
      | enabled             | True                             |
      | id                  | aeb87e7112cd4fd29e5f753ecff4154d |
      | name                | test                             |
      | password_expires_at | None                             |
      +---------------------+----------------------------------+
      
    2. Obtain the user ID:

      # openstack user list
      

If you need to obtain the user, project, or role ID, you can use the following commands or obtain them from the OpenStack dashboard:

  1. Map the user to the specific role and project:

    # openstack role add --project <projectID> --user <userID> <roleID>
    
  2. Obtain the role ID:

    # openstack role list
    
  3. Obtain the OpenStack project ID:

    # openstack project list
    

Create a namespace in Kubernetes#

After completing the OpenStack part of the configuration, proceed to the Kubernetes part. In a Kubernetes cluster, namespaces provide a logical layer of isolation between users and groups of users. Namespaces enable you to assign resource quotas and security limits to your workloads and users, as well as establish organizational, procedural, and security boundaries within that namespace.

For more information about Kubernetes namespaces, see the Kubernetes documentation.

You need to create the namespace before you create the Kubernetes role.

To create a Kubernetes namespace, run the following commands:

  • Using kubectl, complete these steps:

    1. Create a Kubernetes namespace by running the following command:

      $ kubectl create namespace foo-dev
        namespace "foo-dev" created
      
    2. Optionally, define a NetworkPolicy for the namespace.

      See Configure network policies. Although this step is optional, a network policy ensures an additional level of security in a multi-tenant environment.

  • Using the KaaS Control Panel, complete these steps:

    1. Log in to the KaaS Control Panel.
    2. In the left navigation menu, select your Kubernetes cluster. If you have only one cluster, it is displayed automatically.
    3. Select Administration > Namespaces.
    4. Click Create Namespace.
    5. Type the name of your namespace.
    6. Optionally, assign a label to your namespace. Labels help you to organize your Kubernetes resources. For more information about labels, see Labels and selectors in the upstream Kubernetes documentation.
    7. Click Save Changes.
  • Using the Kubernetes dashboard, complete these steps:

    1. Log in to the Kubernetes Web UI by accessing https://dashboard.<cluster-name>.<domain-name>. from your web browser. Use your KaaS token to log in.

    2. In the upper right corner, click + Create.

    3. Insert or upload the namespace definition from a YAML or JSON file.

      Example:

      apiVersion: v1
      kind: Namespace
      metadata:
        name: mynamespace
      
    4. Under Cluster > Namespaces, check that the namespace was created.

Create a Kubernetes role and map it to an OpenStack role#

After you have created an OpenStack role and OpenStack users, you can map that role to a Kubernetes role to grant OpenStack users a required set of permissions in a selected namespace. You can do so by either creating a role binding manually as described in Create a Kubernetes role binding by using kubectl or using the KaaS Control Panel.

To create a role binding using the control panel, complete the following steps:

  1. Log in to the KaaS Control Panel as an OpenStack administrator for the required cluster.
  2. In the left navigation menu, verify that you are displaying the dashboard for the required Kubernetes cluster. If you have only one cluster, you should see My cluster.
  3. In the Administration menu, click Namespaces.
  4. Select a namespace in which you want to create an access rule. For example, default.
  5. Click Add Role Binding.
  6. In the New role binding field, type a name for the new rule.
  7. In the Choose a group field, select the rule you have created in Create an OpenStack role.
  8. In the Choose a role field, select a Kubernetes role.

You can select from the following options:

  • cluster-admin - enables super-user access to all resources in the Kubernetes cluster.
  • admin - enables read and write access to most operations in the namespace, except for creating resource quotas or modifying the namespace itself.
  • edit - enables read and write access to most operations, except for creating and modifying roles and role bindings.
  • view - enables read access to most objects, except for the roles, role bindings, and secrets.

For more information about Kubernetes roles, see User-facing roles.

Create a Kubernetes role binding by using kubectl#

Role bindings enable users from third-party systems, such as OpenStack, to access your Kubernetes cluster. For example, you can give the user administrative privileges in the created namespace by configuring a RoleBinding:

$ cat <<EOF | kubectl create -f -
  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    namespace: foo-dev
    name: foo-admin
  roleRef:
    kind: ClusterRole
    name: admin
    apiGroup: rbac.authorization.k8s.io
  subjects:
  - kind: User
    name: foo
    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: <OpenStack role ID>
    apiGroup: rbac.authorization.k8s.io
  EOF
  rolebinding "foo-admin" created

The user foo now has the predefined Kubernetes admin role within foo-dev, which permits the creation of all resources inside of foo-dev. The user is restricted from creating resources outside of the foo-dev namespace, as well as from using certain Pod features, which is described in Configure Pod security policies. The user can download the kubeconfig file from the KaaS Control Panel to access the cluster API.

For more information about role bindings, see Kubernetes documentation.