Manage RBAC
This topic describes how to apply role-based access control (RBAC) for a slice to secure the namespaces accessibility. RBAC is a method to manage users' access to resources based on their roles in a company.
KubeSlice is shipped with two role templates, reader-role-template and deployment-role-template. You can use them directly,
create your own roles from the templates or even create K8s roles to provide access to users or groups.
KubeSlice supports creating roles to suit your requirements and assigning those roles to users/groups and manage accessibility of onboarded namespaces in a slice.
Prerequisites
Before you begin, ensure that the following requirements are met:
- The slice to which you want to assign roles is created and namespaces are onboarded on it.
- One of the supported authentication strategies is set up on the worker clusters, and users/groups have access to the worker clusters.
In order to Manage RBAC with KubeSlice IdP integration must be configured.
Supported Authentication Strategies
For RBAC to be implemented for a user/group, Kubernetes supports the following authentication strategies:
- X509 Client Certs
- OpenID Connect Tokens
- Webhook Token Authentication
- Authenticating Proxy
- User impersonation
You can implement one or more strategies for your worker clusters and allow users to access
the clusters. For more information, see Kubernetes authentication strategies.
Configure Identity Provider
For instruction on Identity Provider configuration, see KubeSlice Manager:Integrations.
Create a Role using the SliceRoleTemplate
We provide a SliceRoleTemplate custom resource definition (CRD) to create roles in your project namespace.
Although you can use native Kubernetes (K8s) roles for role assignments, we recommend you use the SliceRoleTemplate CRD for the following benefits:
- You can modify or delete a role and the changes propagates to all worker clusters instantly.
- The roles are project namespace scoped, that is you cannot use a role created using the slice role template in any other namespaces.
- Only cluster admins can modify roles.
- Deleting a role automatically removes it from the slice it is associated to thus removing access from all users/groups using that role.
- You can manage this role using the KubeSlice Manager.
Create a Role Template YAML
Create a role YAML file read-only-role.yaml using the following template in your
project namespace. The role defines get, list, and watch access to pods.
To know more about the configuration details, see slice parameters
apiVersion: controller.kubeslice.io/v1alpha1
kind: SliceRoleTemplate
metadata:
name: read-only-role
rules:
- apiGroups:
- '' # empty string represents Core API group
resources:
- pods
verbs:
- get
- list
- watch
You cannot use an asterisk * to represent all API groups for the apiGroups parameter.
Apply the Role Configuration YAML File
Apply the role configuration YAML file using the following command:
kubectl apply -f read-only-role.yaml -n <project namespace>
Validate the Role Creation
Validate the role creation using the following command:
kubectl get sliceroletemplates.controller.kubeslice.io -n kubeslice-<project-name>
Example
kubectl get sliceroletemplates.controller.kubeslice.io -n kubeslice-avesha
Expected Output
NAME AGE
read-only-role 20s
deployment-role-template 112m
reader-role-template 112m
Edit a Role
You can edit a role configuration file to modify the existing rules set in the YAML file by
using the kubectl edit command or by modifying the file and re-applying.
After modifying the YAML file, you must:
- Apply the YAML file for the new configuration to be effective.
- Validate the role configuration that you have changed.
Import an Existing Kubernetes Role into the Project Namespace
You can create a new Kubernetes role
in the project namespace or you can import a Kubernetes role from another namespace into
your project namespace and use it for assignment to a slice. For example, let us assume that
you want to import myrole from the ns-1 namespace into the kubeslice-avesha project namespace.
Export a Kubernetes Role into a File
Use the following command to export the role into a file.
kubectl get role myrole -n ns-1 -o yaml > myrole.yaml
This command execution generates a file called myrole.yaml.
Apply the Kubernetes Role Configuration
Before applying the exported role configuration file, you must:
- Open the configuration (
myrole.yaml) file in a text editor. - Remove
uid,namespace,creationTimestampandresourceVersionfrom themetadataobject. - Save this edited file.
Apply the modified role configuration YAML file using the following command:
kubectl apply -f myrole.yaml -n kubeslice-avesha
Validate the Imported Native Kubernetes Role
Validate the newly created K8s role using the following command:
kubectl get role myrole -n kubeslice-avesha
Example Output
NAME AGE
myrole 13s
For more info on Kubernetes role objects, see K8s documentation.
Assign Roles to Users/Groups in a Slice.
After creating a role, assign the roles to users or groups for managing the namespace accessibility in a slice. This can be done through YAML or using the KubeSlice Manager. We provide SliceRoleBinding CRD to create a role binding in your project namespace.
The role assignment is propagated to all the worker clusters registered with the slice.
Create Role Assignment YAML
Create a role-assignments.yaml file for assigning a role to namespaces.
To know more about the configuration details, see slice parameters
apiVersion: controller.kubeslice.io/v1alpha1
kind: SliceRoleBinding
metadata:
name: red
bindings:
- roleRef:
apiVersion: controller.kubeslice.io/v1alpha1
kind: SliceRoleTemplate
name: custom-role-template
applyTo:
- namespace: 'namespace-1'
cluster: 'cluster-1'
subjects:
- kind: ServiceAccount
name: abc
- kind: User
name: "abc@kubeslice.io"
- namespace: 'namespace-2'
cluster: 'cluster-2'
subjects:
- kind: User
name: "xyz@kubeslice.io"
- roleRef:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
name: kubeslice-read-only
applyTo:
- namespace: 'namespace-3'
cluster: 'cluster-3'
subjects:
- kind: Group
name: "github"
- kind: User
name: "pqr@kubeslice.io"
- namespace: 'namespace-3'
cluster: '*'
subjects:
- kind: Group
name: "github"
- The
nameof the object must be same as the name of the slice. - Using an
*(asterisk) as a value fornamespaceimplies that all the users/groups listed undersubjectshave access (defined in the role) to all the namespaces onboarded on that slice. - You can assign both slice template roles and native K8s roles to the users in the YAML file.
- The
apiVersioniscontroller.kubeslice.io/v1alpha1for a slice template role andrbac.authorization.k8s.io/v1for a native K8s role. - The
kindisSliceRoleTemplatefor a slice template role andRolefor a native K8s role. - Ensure that the group that you add is a valid group.
Apply the YAML File for Assigning Roles
Apply the role-assignments.yaml file you created for assigning roles using the following command:
kubectl apply -f role-assignments.yaml -n <project namespace>
Validate Slice Role Assignment
Validate the slice role assignment using the following command:
kubectl get slicerolebindings.controller.kubeslice.io -n kubeslice-<project-name>
Example
kubectl get slicerolebindings.controller.kubeslice.io -n kubeslice-avesha
Expected Output
NAME AGE
slice-red 31s
Validate Role Assignments on Worker Clusters
You can validate if RBAC was successfully propagated to the worker clusters using the kubectl auth can-i command.
To validate the role assignments:
-
Switch the context to the worker cluster from where the namespace is referenced in the role assignment. From the above example,
namespace-1is present inworker-cluster-1. -
Run the following command in the
worker-cluster-1to verify if theuser@example.comuser hasgetaccess to pods:kubectl auth can-i get pods --namespace namespace-1 --as user@example.comExpected Output
yes -
Run the following command to verify if the user has
createaccess to pods:kubectl auth can-i create pods --namespace namespace-1 --as user@example.comExpected Output
no
Edit a Role Assignment
After you assign roles to a slice, you can still add or modify namespaces, users, groups and roles as necessary. Edit the existing configuration YAML file that was applied for assigning roles earlier to edit the role assignment.
To edit a role assignment, use the following command:
kubectl edit slicerolebindings.controller.kubeslice.io <name-of-the-slice> -n kubeslice-<project-name>
Example
kubectl edit slicerolebindings.controller.kubeslice.io slice-red -n kubeslice-avesha
Edit the YAML file as required and reapply the configuration.
-
The namespace used in a role assignment must be onboarded on a slice. If the namespace used in the role assignment is not onboarded, the role assignment shows
INVALID_NSerror for that namespace in it's status.Example:
status:
roleRefConditions:
- condition: INVALID_NS
lastUpdateTime: "2022-11-17T05:00:15Z"
message: Failed to inject namespace in worker slice role binding since namespace
"namespace-15" does not exist in the "slice-red" slice config.
namespace: namespace-15
reason: Namespace "namespace-15" not found in application namespace of "slice-red" slice
config.
roleRef:
apiVersion: controller.kubeslice.io/v1alpha1
kind: SliceRoleTemplate
name: reader-role-template-2
status: "False" -
The roles used in a role assignment must be present in the project namespace. If the role is not present in the project namespace, the role assignment shows the
NOT_ACCESSIBLEerror for that role in its status.Example
status:
roleRefConditions:
- condition: NOT_ACCESSIBLE
lastUpdateTime: "2022-11-17T04:58:25Z"
message: Failed to create worker role binding since the RoleRef "reader-role-template-2"
does not exist in the "kubeslice-avesha" namespace.
reason: RoleRef "reader-role-template-2" not found.
roleRef:
apiVersion: controller.kubeslice.io/v1alpha1
kind: SliceRoleTemplate
name: reader-role-template-2
status: "False"
Remove All the Roles from a Slice
To remove all roles from a slice, use the following command:
kubectl delete slicerolebindings.controller.kubeslice.io <name-of-the-slice> -n kubeslice-<project-name>