0

I would like to read state of K8s using µK8s, but I don't want to have rights to modify anything. How to achieve this?

The following will give me full access:

microk8s.kubectl  Insufficient permissions to access MicroK8s. You can either try again with sudo or add the user digital to the 'microk8s' group:

   sudo usermod -a -G microk8s digital    sudo chown -f -R digital ~/.kube

The new group will be available on the user's next login.
Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37
digital_infinity
  • 534
  • 6
  • 20
  • Changing ownership of the config file won't give you much when it comes to limiting your cluster roles/permissions. As you can see in step 2 [here](https://microk8s.io/docs) doing what you described in question is completely normal. For cluster permission fine tuning you'll need to change/config RBAC rules. Lastly, having clearly described goal will definitely help with providing you some solution. – acid_fuji May 31 '21 at 08:48
  • In my company there is a policy that programmers cannot modify anything on production (IMHO sane). While we are migrating to K8S, we want to enable read-only access like checking status / deployment etc for programmers, but all changes must go through DEV-OPS teams. Only DEV-OPS team have `sudo` and rights to modify anything. – digital_infinity May 31 '21 at 14:58
  • .. on Unix/Linux we can just set appropriate file/directory access permission - just `rx`, decrease shell limits (like max memory/open file descriptors), decrease process priority (`nice -19`). We are looking for similar solution for K8S . Of course there is a fashion not to give terminal access to production systems and use all the Gui/Web tools for K8S, but access by terminal is an additional check for teams lead developers to check if everything is correct. – digital_infinity May 31 '21 at 16:45
  • Specially we work on a low-latency (or latency sensitive) systems and we must look for K8S's nodes with some attention. – digital_infinity May 31 '21 at 16:47

1 Answers1

1

on Unix/Linux we can just set appropriate file/directory access permission - just rx, decrease shell limits (like max memory/open file descriptors), decrease process priority (nice -19). We are looking for similar solution for K8S

This kind of solutions in Kubernetes are handled via RBAC (Role-based access control). RBAC prevents unauthorized users from viewing or modifying the cluster state. Because the API server exposes a REST interface, users perform actions by sending HTTP requests to the server. Users authenticate themselves by including credentials in the request (an authentication token, username and password, or a client certificate).

As for REST clients you get GET, POST, PUT,DELETE etc. These are send to specific URL paths that represents specific REST API resources (Pods, Services, Deployments and so).

RBAC auth is configured with two groups:

  • Roles and ClusterRoles - this specify which actions/verbs can be performed
  • RoleBinding and ClusterRoleBindings - this bind the above roles to a user, group or service account.

As you might already find out the ClusterRole is the one your might be looking for. This will allow to restrict specific user or group against the cluster. In the example below we are creating ClusterRole that can only list pods. The namespace is omitted since ClusterRoles are not namepsaced.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pod-viewer
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list"]

This permission has to be bound then via ClusterRoleBinding :

apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to list pods in any namespace.
kind: ClusterRoleBinding
metadata:
  name: list-pods-global
subjects:
- kind: Group
  name: manager # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: pod-viewer
  apiGroup: rbac.authorization.k8s.io

Because you don't have the enough permissions on your own you have to reach out to appropriate person who manage those to create user for you that has the ClusterRole: View. View role should be predefined already in cluster ( kubectl get clusterrole view)

If you wish to read more Kubernetes docs explains well its whole concept of authorization.

acid_fuji
  • 6,287
  • 7
  • 22