20

Permission manager : RBAC management for Kubernetes

 3 years ago
source link: https://blog.kubernauts.io/permission-manager-rbac-management-for-kubernetes-ed46c2f38cfb
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Permission manager : RBAC management for Kubernetes

Permission manager : RBAC management for Kubernetes

Image for post
Image for post
Photo by Kyle Glenn on Unsplash

Came across a GitHub repository implemented by the awesome folks at Sighup.IO for managing user permissions for Kubernetes cluster easily via web UI.

GitHub Repo : https://github.com/sighupio/permission-manager

With Permission Manager, you can create users, assign namespaces/permissions, and distribute Kubeconfig YAML files via a nice&easy web UI.
The project works on the concept of templates that you can create and then use that template for different users.Template is directly proportional to clusterrole.
In rder to create a new template you need to defile a clusterrole with prefix template-namespaces-resources__. The default template are present in the k8s/k8s-seeds directory.

Example template:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: template-namespaced-resources___developer
rules:
  - apiGroups:
      - "*"
    resources:
      - "configmaps"
      - "endpoints"
      - "persistentvolumeclaims"
      - "pods"
      - "pods/log"
      - "pods/portforward"
      - "podtemplates"
      - "replicationcontrollers"
      - "resourcequotas"
      - "secrets"
      - "services"
      - "events"
      - "daemonsets"
      - "deployments"
      - "replicasets"
      - "ingresses"
      - "networkpolicies"
      - "poddisruptionbudgets"
      # - "rolebindings"
      # - "roles"
    verbs:
      - "*"

Let us now deploy it on Katakoda kubernetes playground and see the permission checker in action.

Step1: Open https://www.katacoda.com/courses/kubernetes/playground

Step 2: git clone https://github.com/sighupio/permission-manager.git

Step3: Change the deploy.yaml file

master $ kubectl cluster-info
Kubernetes master is running at https://172.17.0.14:6443

update the deployment file “k8s/deploy.yaml” with the CONTROL_PLANE_ADDRESS from the result of the above command.

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: permission-manager
  name: permission-manager-deployment
  labels:
    app: permission-manager
spec:
  replicas: 1
  selector:
    matchLabels:
      app: permission-manager
  template:
    metadata:
      labels:
        app: permission-manager
    spec:
      serviceAccountName: permission-manager-service-account
      containers:
        - name: permission-manager
          image: quay.io/sighup/permission-manager:1.5.0
          ports:
            - containerPort: 4000
          env:
            - name: PORT
              value: "4000"
            - name: CLUSTER_NAME
              value: "my-cluster"
            - name: CONTROL_PLANE_ADDRESS
              value: "https://172.17.0.14:6443"
            - name: BASIC_AUTH_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: auth-password-secret
                  key: password

---
apiVersion: v1
kind: Service
metadata:
  namespace: permission-manager
  name: permission-manager-service
spec:
  selector:
    app: permission-manager
  ports:
    - protocol: TCP
      port: 4000
      targetPort: 4000
  type: NodePort

Step4: Deploy the manifests

cd permission-managermaster $ kubectl apply -f k8s/k8s-seeds/namespace.yml
namespace/permission-manager createdmaster $ kubectl apply -f k8s/k8s-seeds
secret/auth-password-secret created
namespace/permission-manager unchanged
clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___operation created
clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___developer created
clusterrole.rbac.authorization.k8s.io/template-cluster-resources___read-only created
clusterrole.rbac.authorization.k8s.io/template-cluster-resources___admin created
rolebinding.rbac.authorization.k8s.io/permission-manager-service-account-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/permission-manager-service-account-rolebinding created
serviceaccount/permission-manager-service-account created
clusterrole.rbac.authorization.k8s.io/permission-manager-cluster-role created
customresourcedefinition.apiextensions.k8s.io/permissionmanagerusers.permissionmanager.user createdmaster $ kubectl apply -f k8s/deploy.yaml
deployment.apps/permission-manager-deployment created
service/permission-manager-service created

Step5: Get the NodePort and open UI using Katakoda

master $ kubectl get svc -n permission-manager
NAME                         TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
permission-manager-service   NodePort   10.104.183.10   <none>        4000:31996/TCP   9m40s

n order to open port from Katakoda click on the + and select View HTTP port 8080 on Host 1 and change the port to 31996


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK