Help w/ RBAC group multiple Namespaces.

[matt....@gmail.com]

Hi All,

I'm trying to setup a cluster that uses RBAC with the github webhook authenticator.  I have both of those working and I'm having difficulties fleshing out some RBAC rules for access to different name spaces.  For instance if I have three namespaces:

• alpha
• staging
• prod

And I want to create a group of users known as "cluster-ops" to have full admin rights in alpha and staging namespaces with only view rights in prod... I would think that i would create a yaml file like so:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: alpha-ns-ops
  namespace: alpha
subjects:
  - kind: Group
    name: cluster-ops
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: staging-ns-ops
  namespace: staging
subjects:
  - kind: Group
    name: cluster-ops
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io

ignoring the prod namespace...  How do I associate my user to that group?  I've tried:

kubectl create clusterrolebinding cluster-ops-cb --user snoby --group=cluster-ops
error: clusterrole must be specified

Confused as to how a group maps to a cluster role when the group doesn't encompass every namespace in the cluster...  Am I suppose to use Aggregated Cluster Roles?

Thanks for any help you guys can provide.
Matt

[Mo Khan]

I believe you are trying to use a cluster role binding when you actually want a role binding.  Cluster role bindings grant powers cluster wide, whereas role bindings allow scoping to a particular namespace.

--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-auth" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-auth+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig-auth@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/ef5b4df8-2940-4871-8ce4-14352ccf8e33%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[matt....@gmail.com]

Let me ask the question another way, how do you allow a group of users access to only two namespaces out of the three that there are?

To post to this group, send email to kubernete...@googlegroups.com.

[Jordan Liggitt]

Create a rolebinding for those two users in the two namespaces you want them to have access to

To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-auth+unsubscribe...@googlegroups.com.

To post to this group, send email to kubernete...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/ef5b4df8-2940-4871-8ce4-14352ccf8e33%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-auth" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-auth+unsub...@googlegroups.com.

To post to this group, send email to kubernetes-sig-auth@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/74ffb8ad-a923-44ec-aef1-a9fc26af331a%40googlegroups.com.

[matt....@gmail.com]

I see how you use a rolebinding to link a user to a role...  However if we expand upon this and say we have 15 employees  that want to have the same access to those two roles...

1.) How do you generate a group / add a list of users to a group?

For example I have created these simple roles with roleBindings, with the roleBindings associated with a group I've named "cluster-ops"

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: alpha-admin
  namespace: alpha
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: staging-admin
  namespace: staging
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'




---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: alpha-ns-binding
  namespace: alpha
subjects:

  - kind: Group
    name: cluster-ops
    apiGroup: rbac.authorization.k8s.io
roleRef:

  kind: Role
  name: alpha-admin
  apiGroup: rbac.authorization.k8s.io


---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: staging-ns-binding
  namespace: staging
subjects:

  - kind: Group
    name: cluster-ops
    apiGroup: rbac.authorization.k8s.io
roleRef:

  kind: Role
  name: staging-admin
  apiGroup: rbac.authorization.k8s.io

I'm using the github webhook authorization which doesn't really have " groups ", just usernames.  This rancher article seems to indicate that I can't control who is in what group manually, but that I have to do it somehow in the webhook authentication component.

Groups are defined by the authentication component, and group membership is set when authentication completes. Group membership is only a string value, so the authentication component must set this string correctly. Kubernetes will only check for the presence of the string; it trusts the authentication provider.

If that is the case is there a "simple" yaml way to add 10 - 15 people to a rolebinding?

Please and thank you for your time,

Matt

To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-auth+unsub...@googlegroups.com.

To post to this group, send email to kubernete...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/ef5b4df8-2940-4871-8ce4-14352ccf8e33%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-auth" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-auth+unsub...@googlegroups.com.

To post to this group, send email to kubernete...@googlegroups.com.

[Mo Khan]

You don't need to define any Roles.  You want RoleBindings that point to the admin ClusterRole, and bind to the appropriate subject (the group).

For group membership, you will need to look into https://kubernetes.io/docs/admin/authentication/ (OIDC, webhook, proxy, etc).  Your current webhook does not support groups, meaning you cannot use it in your specific scenario.

To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-auth+unsubscribe...@googlegroups.com.

To post to this group, send email to kubernete...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/ef5b4df8-2940-4871-8ce4-14352ccf8e33%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-auth" group.

To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-auth+unsubscribe...@googlegroups.com.

To post to this group, send email to kubernete...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/74ffb8ad-a923-44ec-aef1-a9fc26af331a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-auth" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-auth+unsub...@googlegroups.com.

To post to this group, send email to kubernetes-sig-auth@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/a7384d42-521a-4517-8605-2633d7ec4a7c%40googlegroups.com.