Permission manager : RBAC management for Kubernetes
Photo by Kyle Glenn on Unsplash
Came across a GitHub repository implemented by the awesome folks at Sighup.IO for managing user permissions for Kubernetes cluster easily via web UI.
GitHub Repo : https://github.com/sighupio/permission-manager
With Permission Manager, you can create users, assign namespaces/permissions, and distribute Kubeconfig YAML files via a nice&easy web UI.
The project works on the concept of templates that you can create and then use that template for different users.Template is directly proportional to clusterrole.
In rder to create a new template you need to defile a clusterrole with prefix
template-namespaces-resources__. The default template are present in the k8s/k8s-seeds directory.
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: template-namespaced-resources___developer rules: - apiGroups: - "*" resources: - "configmaps" - "endpoints" - "persistentvolumeclaims" - "pods" - "pods/log" - "pods/portforward" - "podtemplates" - "replicationcontrollers" - "resourcequotas" - "secrets" - "services" - "events" - "daemonsets" - "deployments" - "replicasets" - "ingresses" - "networkpolicies" - "poddisruptionbudgets" # - "rolebindings" # - "roles" verbs: - "*"
Let us now deploy it on Katakoda kubernetes playground and see the permission checker in action.
Step 2: git clone https://github.com/sighupio/permission-manager.git
Step3: Change the deploy.yaml file
master $ kubectl cluster-info Kubernetes master is running at [https://172.17.0.14:6443]( )
update the deployment file “k8s/deploy.yaml” with the CONTROL_PLANE_ADDRESS from the result of the above command.
apiVersion: apps/v1 kind: Deployment metadata: namespace: permission-manager name: permission-manager-deployment labels: app: permission-manager spec: replicas: 1 selector: matchLabels: app: permission-manager template: metadata: labels: app: permission-manager spec: serviceAccountName: permission-manager-service-account containers: - name: permission-manager image: quay.io/sighup/permission-manager:1.5.0 ports: - containerPort: 4000 env: - name: PORT value: "4000" - name: CLUSTER_NAME value: "my-cluster" - name: CONTROL_PLANE_ADDRESS ** value: "https://172.17.0.14:6443" ** - name: BASIC_AUTH_PASSWORD valueFrom: secretKeyRef: name: auth-password-secret key: password apiVersion: v1 kind: Service metadata: namespace: permission-manager name: permission-manager-service spec: selector: app: permission-manager ports: - protocol: TCP port: 4000 targetPort: 4000 ** type: NodePort**
Step4: Deploy the manifests
cd permission-manager master $ kubectl apply -f k8s/k8s-seeds/namespace.yml namespace/permission-manager created master $ kubectl apply -f k8s/k8s-seeds secret/auth-password-secret created namespace/permission-manager unchanged clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___operation created clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___developer created clusterrole.rbac.authorization.k8s.io/template-cluster-resources___read-only created clusterrole.rbac.authorization.k8s.io/template-cluster-resources___admin created rolebinding.rbac.authorization.k8s.io/permission-manager-service-account-rolebinding created clusterrolebinding.rbac.authorization.k8s.io/permission-manager-service-account-rolebinding created serviceaccount/permission-manager-service-account created clusterrole.rbac.authorization.k8s.io/permission-manager-cluster-role created customresourcedefinition.apiextensions.k8s.io/permissionmanagerusers.permissionmanager.user created master $ kubectl apply -f k8s/deploy.yaml deployment.apps/permission-manager-deployment created service/permission-manager-service created
Step5: Get the NodePort and open UI using Katakoda
master $ kubectl get svc -n permission-manager NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE permission-manager-service NodePort 10.104.183.10 <none> 4000:**31996**/TCP 9m40s
n order to open port from Katakoda click on the + and select View HTTP port 8080 on Host 1 and change the port to 31996
Enter the username and password :
You can change the password in k8s/k8s-seeds/auth-secret.yml file.
Now Let us create some users and assign one of the default template.
User Test1 with permission as a developer in permission-manager namespace
Let us download the kubeconfig file and test the permissions:
**master $ kubectl --kubeconfig=/root/permission-manager/newkubeconfig get pods **Error from server (Forbidden): pods is forbidden: User "test1" cannot list resource "pods" in API group "" in the namespace "default" **master $ kubectl --kubeconfig=/root/permission-manager/newkubeconfig get pods -n permission-manager **NAME READY STATUS RESTARTS AGE permission-manager-deployment-544649f8f5-jzlks 1/1 Running 0 6m38s master $ kubectl get clusterrole | grep template template-cluster-resources___admin 7m56s template-cluster-resources___read-only 7m56s template-namespaced-resources___developer 7m56s template-namespaced-resources___operation 7m56s
Summary: With permission checker you can easily create multiple users and give permission for specific resources in specific namespace using custom-defined templates.
Saiyam is a Software Engineer working on Kubernetes with a focus on creating and managing the project ecosystem. Saiyam has worked on many facets of Kubernetes, including scaling, multi-cloud, managed kubernetes services, K8s documentation and testing. He’s worked on implementing major managed services (GKE/AKS/OKE) in different organizations. When not coding or answering Slack messages, Saiyam contributes to the community by writing blogs and giving sessions on InfluxDB, Docker and Kubernetes at different meetups. Reach him on Twitter @saiyampathak where he gives tips on InfluxDB, Rancher, Kubernetes and open source.
We are looking for engineers who love to work in Open Source communities like Kubernetes, Rancher, Docker, etc.
If you wish to work on such projects please do visit our job offerings page.