Create users on Kubernetes cluster and assign permissions

When using Kubernetes cluster in teams, we need to distribute the access to the Kubernetes admins/developers.

Obviously, In k8s world RBAC is the preferred way to authenticate and authorize users.

But, there are different ways of doing it.

  • You can either use bearer token and use your Kubernetes clients.
  • Or create users by cooking bash script with serviceaccounts, roles, clusterroles and rolebindings.
  • Using LDAP and other third-party add-ons. e.g Gangway.

Apart from this if you are on the cloud using managed Kubernetes clusters. Everyone has their way of providing authentication.

Today, we are going to see how we can create a user with minimal efforts and assign them privileges to access the resources.

This guide assumes you have a basic understanding of Kubernetes and its basic resources.

We can use tools like Klum,Kiosk and many more.

In this tutorial, we will use Klum and perform the following tasks.

  • Create namespaces.
  • Use Klum to create users and grant permission to the user to a namespace.

Pre-requisite:

  • Kubernetes cluster: If you don’t have one you can quickly spin up one using Minikube, Kind or use one from Katakoda.

  • Kubectl.

  • jq.

We will use one with Katakoda.

Step 1. Verify you have access to create a cluster using kubectl cluster-info

$ kubectl cluster-info
Kubernetes master is running at https://172.17.0.36:8443
KubeDNS is running at https://172.17.0.36:8443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

Step 2. Create namespaces: earth mars and moon using command kubectl create ns

$ kubectl create ns earth
namespace/earth created
$ kubectl create ns moon
namespace/moon created
$ kubectl create ns mars
namespace/mars created

Step 3. Deploy Klum which creates custom resource definition for the user and kubeconfig of the resource.

kubectl apply -f https://raw.githubusercontent.com/ibuildthecloud/klum/master/deploy.yaml
namespace/klum created
deployment.apps/klum created
serviceaccount/klum created
clusterrolebinding.rbac.authorization.k8s.io/klum-cluster-admin created

Step 4. Create a user human using the below template which has access to the earth namespace.

kind: User
apiVersion: klum.cattle.io/v1alpha1
metadata:
  name: human
spec:
  roles:
  - namespace: earth
    clusterRole: admin

Create it.

$ kubectl apply -f user-human.yml
user.klum.cattle.io/human created

Step 5. Create a user alien who has access to all the 3 namespaces.

kind: User
apiVersion: klum.cattle.io/v1alpha1
metadata:
  name: alien
spec:
  roles:
  - namespace: earth
    clusterRole: admin
  - namespace: moon
    clusterRole: admin
  - namespace: mars
    clusterRole: admin

$ kubectl apply -f user-alien.yml
user.klum.cattle.io/alien created

Step 6. Check users and get the kubeconfigs for both the users using the command.

kubectl get users and kubectl get kubeconfig human

$ kubectl get users
NAME    AGE
alien   60s
human   6m57s

$ kubectl get kubeconfigs
NAME    AGE
alien   73s
human   7m10s

Get the kubeconfigs in the json format.

$ kubectl get kubeconfig human -o json | jq .spec > humankubeconfig
$ kubectl get kubeconfig alien -o json | jq .spec > alienkubeconfig

Step 7. Verify the access and permissions.

Scenario 1. Let’s explore the permissions for the user human across the cluster.

Create Nginx deployment in earth namespace using kubectl -n earth create deployment --image=nginx nginx-app

$ kubectl -n earth --kubeconfig=humankubecofig  create deployment --image=nginx nginx-app
deployment.apps/nginx-app created
$ kubectl -n earth --kubeconfig=humankubecofig get pods
NAME                      READY   STATUS    RESTARTS   AGE
nginx-app-9964799-b29zh   1/1     Running   0          3m23s

Now, using the same kubeconfig of user human let’s try to create an app in namespace mars and moon.

$ kubectl -n mars --kubeconfig=humankubecofig  create deployment --image=nginx nginx-app
Error from server (Forbidden): deployments.apps is forbidden: User "system:serviceaccount:klum:human" cannot create resource "deployments" in API group "apps" in the namespace "mars"

Same for namespace moon.

$ kubectl -n moon --kubeconfig=humankubecofig  create deployment --image=nginx nginx-app
Error from server (Forbidden): deployments.apps is forbidden: User "system:serviceaccount:klum:human" cannot create resource "deployments" in API group "apps" in the namespace "moon"

So, here we have restricted access for user human which cannot create or update resources other than the earth namespace.

Scenario 2. Let’s explore the permissions for the user alien across the cluster.

Create deployment in mars namespace.

$ kubectl -n mars --kubeconfig=alienkubeconfig  create deployment --image=nginx nginx-app
deployment.apps/nginx-app created
$ kubectl -n mars  --kubeconfig=alienkubeconfig  get pods
NAME                      READY   STATUS    RESTARTS   AGE
nginx-app-9964799-d4vrh   1/1     Running   0          39s

It works!

Now let’s create deploys in the moon namespace and earth namespace.

$ kubectl -n moon --kubeconfig=alienkubeconfig  create deployment --image=nginx nginx-app
deployment.apps/nginx-app created
$ kubectl -n moon  --kubeconfig=alienkubeconfig  get pods
NAME                      READY   STATUS    RESTARTS   AGE
nginx-app-9964799-q98lp   1/1     Running   0          13s
$ kubectl -n earth  --kubeconfig=alienkubeconfig  get pods
NAME                      READY   STATUS    RESTARTS   AGE
nginx-app-9964799-kndhv   1/1     Running   0          7m

It works here too :)

So, user human has permissions to create resources in earth namespace. While user alien has permissions to create resources in all the 3 namespaces i.e earth, mars, and moon.

In this way using Klum we can quickly create users and assign permissions to them on kubernetes clusters.

Also, we can create cluster-admin users with full access on the kubernetes cluster.

Happy Kubernauting! :)