Permission manager : RBAC management for Kubernetes
source link: https://blog.kubernauts.io/permission-manager-rbac-management-for-kubernetes-ed46c2f38cfb
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Permission manager : RBAC management for Kubernetes
Came across a GitHub repository implemented by the awesome folks at Sighup.IO for managing user permissions for Kubernetes cluster easily via web UI.
GitHub Repo : https://github.com/sighupio/permission-manager
With Permission Manager, you can create users, assign namespaces/permissions, and distribute Kubeconfig YAML files via a nice&easy web UI.
The project works on the concept of templates that you can create and then use that template for different users.Template is directly proportional to clusterrole.
In rder to create a new template you need to defile a clusterrole with prefix template-namespaces-resources__
. The default template are present in the k8s/k8s-seeds directory.
Example template:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: template-namespaced-resources___developer
rules:
- apiGroups:
- "*"
resources:
- "configmaps"
- "endpoints"
- "persistentvolumeclaims"
- "pods"
- "pods/log"
- "pods/portforward"
- "podtemplates"
- "replicationcontrollers"
- "resourcequotas"
- "secrets"
- "services"
- "events"
- "daemonsets"
- "deployments"
- "replicasets"
- "ingresses"
- "networkpolicies"
- "poddisruptionbudgets"
# - "rolebindings"
# - "roles"
verbs:
- "*"
Let us now deploy it on Katakoda kubernetes playground and see the permission checker in action.
Step1: Open https://www.katacoda.com/courses/kubernetes/playground
Step 2: git clone https://github.com/sighupio/permission-manager.git
Step3: Change the deploy.yaml file
master $ kubectl cluster-info
Kubernetes master is running at https://172.17.0.14:6443
update the deployment file “k8s/deploy.yaml” with the CONTROL_PLANE_ADDRESS from the result of the above command.
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: permission-manager
name: permission-manager-deployment
labels:
app: permission-manager
spec:
replicas: 1
selector:
matchLabels:
app: permission-manager
template:
metadata:
labels:
app: permission-manager
spec:
serviceAccountName: permission-manager-service-account
containers:
- name: permission-manager
image: quay.io/sighup/permission-manager:1.5.0
ports:
- containerPort: 4000
env:
- name: PORT
value: "4000"
- name: CLUSTER_NAME
value: "my-cluster"
- name: CONTROL_PLANE_ADDRESS
value: "https://172.17.0.14:6443"
- name: BASIC_AUTH_PASSWORD
valueFrom:
secretKeyRef:
name: auth-password-secret
key: password
---
apiVersion: v1
kind: Service
metadata:
namespace: permission-manager
name: permission-manager-service
spec:
selector:
app: permission-manager
ports:
- protocol: TCP
port: 4000
targetPort: 4000
type: NodePort
Step4: Deploy the manifests
cd permission-managermaster $ kubectl apply -f k8s/k8s-seeds/namespace.yml
namespace/permission-manager createdmaster $ kubectl apply -f k8s/k8s-seeds
secret/auth-password-secret created
namespace/permission-manager unchanged
clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___operation created
clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___developer created
clusterrole.rbac.authorization.k8s.io/template-cluster-resources___read-only created
clusterrole.rbac.authorization.k8s.io/template-cluster-resources___admin created
rolebinding.rbac.authorization.k8s.io/permission-manager-service-account-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/permission-manager-service-account-rolebinding created
serviceaccount/permission-manager-service-account created
clusterrole.rbac.authorization.k8s.io/permission-manager-cluster-role created
customresourcedefinition.apiextensions.k8s.io/permissionmanagerusers.permissionmanager.user createdmaster $ kubectl apply -f k8s/deploy.yaml
deployment.apps/permission-manager-deployment created
service/permission-manager-service created
Step5: Get the NodePort and open UI using Katakoda
master $ kubectl get svc -n permission-manager
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
permission-manager-service NodePort 10.104.183.10 <none> 4000:31996/TCP 9m40s
n order to open port from Katakoda click on the + and select View HTTP port 8080 on Host 1 and change the port to 31996
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK