How to Configure Kubernetes RBAC for VKS Cluster
search cancel

How to Configure Kubernetes RBAC for VKS Cluster

book

Article ID: 424898

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

This guide supplements the official VKS documentation by providing practical examples for implementing Role-Based Access Control (RBAC).
Use this guide to define granular permissions for users or groups within your VKS cluster.

Environment

vSphere Kubernetes Service

Resolution

This section provides samples for adding users to a VKS cluster based on specific roles.
Before running the commands below, please switch your kubectl context to the target VKS cluster using a user with administrative privileges.

kubectl vsphere login --insecure-skip-tls-verify --server=${SUPERVISOR_VIP} --tanzu-kubernetes-cluster-namespace=${VSPHERE_NAMESPACE} --tanzu-kubernetes-cluster-name=${TARGET_VKS_CLUSTER} -u [email protected]

Read Only

  • Customize the ClusterRole rules based on your specific use case
  • For data security, access to Secrets is disabled by default
# --------------------------------------------------------------------------
# 1. Create a ClusterRole
# --------------------------------------------------------------------------
CLUSTER_ROLE_NAME=cluster-view-no-secrets
cat > ${CLUSTER_ROLE_NAME}.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ${CLUSTER_ROLE_NAME}
rules:
  - apiGroups: [""]
    resources: ["nodes", "persistentvolumes", "namespaces", "pods", "services", "events", "configmaps", "serviceaccounts"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apps", "extensions", "batch", "storage.k8s.io", "networking.k8s.io", "rbac.authorization.k8s.io"]
    resources: ["*"]
    verbs: ["get", "list", "watch"]
EOF

kubectl apply -f ${CLUSTER_ROLE_NAME}.yaml

# --------------------------------------------------------------------------
# 2. Create a ClusterRoleBinding
# --------------------------------------------------------------------------
[email protected]
BINDING_NAME=grant-cluster-view-no-secrets-test

cat > ${BINDING_NAME}.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ${BINDING_NAME}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ${CLUSTER_ROLE_NAME}
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: sso:${VCENTER_USER}
EOF

kubectl apply -f ${BINDING_NAME}.yaml

# --------------------------------------------------------------------------
# 3. Check
# --------------------------------------------------------------------------
kubectl auth can-i get pods --as "sso:${VCENTER_USER}"    # yes
kubectl auth can-i get secrets --as "sso:${VCENTER_USER}" # no

Namespace-Specific Access

  • This role allows the user to perform operations only inside a designated namespace
  • It utilizes the built-in edit ClusterRole
# --------------------------------------------------------------------------
# 1. Create a RoleBinding
# --------------------------------------------------------------------------
[email protected]
NAMESPACE=default
BINDING_NAME=edit-binding-${NAMESPACE}-test-developer

cat > ${BINDING_NAME}.yaml <<EOF
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ${BINDING_NAME}
  namespace: ${NAMESPACE}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit # Using the built-in "edit" ClusterRole
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: "sso:${VCENTER_USER}"
EOF

kubectl apply -f ${BINDING_NAME}.yaml

# --------------------------------------------------------------------------
# 2. Check
# --------------------------------------------------------------------------
kubectl auth can-i get pods -n ${NAMESPACE} --as "sso:${VCENTER_USER}"    # yes
kubectl auth can-i create pods -n ${NAMESPACE} --as "sso:${VCENTER_USER}" # yes
kubectl auth can-i get pods -n kube-system --as "sso:${VCENTER_USER}"     # no

Full Administrative Access

  • Grants full cluster control using the built-in cluster-admin role
  • CAUTION: Limit this privilege to trusted administrators only
# --------------------------------------------------------------------------
# 1. Create a ClusterRoleBinding
# --------------------------------------------------------------------------
VCENTER_USER="[email protected]"
BINDING_NAME="grant-cluster-admin-test"

cat > ${BINDING_NAME}.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ${BINDING_NAME}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin # Using the built-in "cluster-admin" ClusterRole
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: "sso:${VCENTER_USER}"
EOF

kubectl apply -f ${BINDING_NAME}.yaml

# --------------------------------------------------------------------------
# 2. Check
# --------------------------------------------------------------------------
kubectl auth can-i get pods -A --as "sso:${VCENTER_USER}"     # yes
kubectl auth can-i delete nodes --as "sso:${VCENTER_USER}"    # yes
kubectl auth can-i edit secrets -A --as "sso:${VCENTER_USER}" # yes

 

Additional Information

Powered by Wolken Software