starlingx/docs
Code Issues Proposed changes
47040fa69b
docs/doc/source/security/kubernetes/create-end-users-359693b84854.rst
Suzana Fernandes 4b0d6f789e Fix index Security guide 
[EAG] - Fix toctrees in wrong place
[RS]  - escape sample URLs

Change-Id: I3972bac7a0637bedfdca70a523851439d3b7ce42
Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
2024-11-29 18:18:33 +00:00

7.2 KiB
Raw Blame History

Create End Users

After setting up your system administrators, use a Level1SystemAdmin system administrator to configure 'end users'.

In the following example, creating end users consists of:

  • Create a general end user kubernetes ClusterRole with restricted kubernetes capabilities.
  • For one or more specific end user groups:
    • Create an group;
    • You can disable the access for this group (i.e., restricting these end users to only use remote CLIs / APIs / GUIs);
    • Create a Kubernetes namespace for the group;
    • Bind the general end user kubernetes cluster role to the group for this kubernetes namespace,
    • Create one or more users in this group.

  • You should already have created a system administrator.
  • You need to perform this procedure using the Level1SystemAdmin system administrator.

  1. Login to the active controller as a Level1SystemAdmin system administrator, joefulladmin in this example.

    Use either a local console or .

  2. Use the local_starlingxrc to setup environment variables and to setup your keystone user's authentication credentials.

    $ source local_starlingxrc

Enter the password to be used with keystone user joefulladmin:
Created file /home/joefulladmin/joefulladmin-openrc

  3. Use the oidc-auth to authenticate via / for kubernetes CLI.

    $ oidc-auth
Using "joefulladmin" as username.
Password:
Successful authentication.
Updated /home/joefulladmin/.kube/config.

  4. Create a directory for temporary files for setting up users and groups.

    $ mkdir /home/joefulladmin/users

  5. Create a general end user kubernetes ClusterRole with restricted kubernetes authorization privileges.

    $ cat << EOF > /home/joefulladmin/users/GeneralEndUser-ClusterRole.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
   name: GeneralEndUser
rules:
# For the core API group (""), allow full access to all resource types
# EXCEPT for resource policies (limitranges and resourcequotas) only allow read access
-  apiGroups: [""]
   resources: ["bindings", "configmaps", "endpoints", "events", "persistentvolumeclaims", "pods", "podtemplates", "replicationcontrollers", "secrets", "serviceaccounts", "services"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-  apiGroups: [""]
   resources: [ "limitranges", "resourcequotas" ]
   verbs: ["get", "list"]
# Allow full access to all resource types of the following explicit list of apiGroups.
# Notable exceptions here are:
#     ApiGroup                      ResourceTypes
#     -------                       -------------
#     policy                        podsecuritypolicies, poddisruptionbudgets
#     networking.k8s.io             networkpolicies
#     admissionregistration.k8s.io  mutatingwebhookconfigurations, validatingwebhookconfigurations
#
-  apiGroups: ["apps", "batch", "extensions", "autoscaling", "apiextensions.k8s.io", "rbac.authorization.k8s.io"]
   resources: ["*"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# Cert Manager API access
-  apiGroups: ["cert-manager.io", "acme.cert-manager.io"]
   resources: ["*"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
EOF

$ kubectl apply -f /home/joefulladmin/users/GeneralEndUser-ClusterRole.yml

  6. For one or more specific end user groups, create an group, Kubernetes namespace and one or more users.

    1. Create a new local group for the end user group.

      $ sudo ldapaddgroup ABC-EndUsers

    2. Disallow this local group from using .

      Users of this group can only use the remote kubernetes API/CLI/GUI. Update the /etc/security/group.conf with group mappings.

      Note

      If it is controller configuration, disallow this local group on both controllers.

      $ sudo sed -i '$ a\\\*;\*;%ABC-EndUsers;Al0000-2400;denyssh' /etc/security/group.conf

    3. Create a kubernetes namespace for the end user group.

      $ kubectl create namespace abc-ns

      1. Bind the GeneralEndUser role to this group for this kubernetes namespace.

        $ cat << EOF > /home/joefulladmin/users/ABC-EndUsers-rolebinding.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
   name: ABC-EndUsers
   namespace: abc-ns
subjects:
-     kind: Group
   name: ABC-EndUsers
   apiGroup: rbac.authorization.k8s.io
roleRef:
   kind: ClusterRole
   name: GeneralEndUser
   apiGroup: rbac.authorization.k8s.io
EOF

$ kubectl apply -f  /home/joefulladmin/users/ABC-EndUsers-rolebinding.yml

    4. Create one or more users for the end user group.

      $ sudo ldapusersetup -u steveenduser
Password:
Successfully added user steveenduser to LDAP
Successfully set password for user steveenduser
Warning : password is reset, user will be asked to change password at login
Successfully modified user entry uid=steveenduser,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 90 days
Successfully modified user entry uid=steveenduser,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 2 days

$ sudo ldapaddusertogroup steveenduser ABC-EndUsers

    5. Repeat the Create one or more LDAP users for the end user group step for the next user in this end user group.

  7. Repeat the For one or more specific end user groups, create an LDAP group, kubernetes namespace and one or more LDAP users step for the next end user group.

The end user created is able to, optionally, use SSH on the system to execute kubernetes commands to manage the hosted containerized application and execute Linux commands. See section: end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671.

Note

More setup is required for end user to use remote CLIs/GUIs, see section remote-access-2209661be417.