Login
      Contents x
      Managing IAM authentication user
        • Print
        • PDF
        Contents

        Managing IAM authentication user

          • Print
          • PDF
          Article Summary

          The latest service changes have not yet been reflected in this content. We will update the content as soon as possible. Please refer to the Korean version for information on the latest updates.

          Available in VPC

          Once a Ncloud Kubernetes Service cluster is created, Sub Account that created the cluster and Main account will be automatically set to the 'system:masters' group in the cluster RBAC configuration, but this setting is not displayed in the cluster information or ConfigMap. In order to give permissions to use a cluster to an IAM user, 'ncp-auth' ConfigMap must be registered in the 'kube-system' namespace.

          Note

          It can be set when 'ncp-iam-authenticaotor' is installed, and kubeconfig is created. See Install ncp-iam-authenticator, Create IAM authentication kubeconfig.

          Add IAM user to cluster

          1. 'kubectl' credentials must be composed of Sub Account that created the cluster or Main account.
          2. Create 'ncp-auth' ConfigMap.
          $ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
  name: ncp-auth
  namespace: kube-system
data:
  mapSubAccounts: |
    - subAccountIdNo: <iam-user-idno>
      username: <username>
      groups:
        - <groups>
EOF
          1. ConfigMap's IAM user parameters are as follows:
            • subaccountIdNo: the ID of the SubAccount user to be added that can be checked on the SubAccount console
            • username: the name of the user to be mapped to the IAM user in Kubernetes
            • groups: list of groups to be mapped to users in Kubernetes For more information, see Default roles and role bindings.
          2. Check the applied user list through 'ncloud.com/applied-ncp-auth' annotation in 'ncp-auth' ConfigMap.
          $ kubectl --kubeconfig $KUBE_CONFIG -n kube-system get configmap ncp-auth -o yaml
...
metadata:
  annotations:
     ncloud.com/applied-ncp-auth: '[{"SubAccountIdNo":"<iam-user-idno>","Username":"<username>","Groups":["<groups>"]}]'
...
          1. Check if the IAM user, or the user or user group with a role mapped, is bound to a Kubernetes role by using 'RoleBinding' or 'ClusterRoleBinding'. For more information, see Using RBAC Authorization of the Kubernetes document.
          • Permission to view resources in all namespaces - The group name is 'full-access-group', and this needs to be mapped to the IAM user groups in the 'ncp-auth' ConfigMap.
          
|$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -|

apiVersion: rbac.authorization.k8s.io/v1  
kind: ClusterRole  
metadata:  
 name: full-access-clusterrole  
rules:  
- apiGroups:  
  - ""  
  resources:  
  - nodes  
  - namespaces  
  - pods  
  verbs:  
  - get  
  - list  
- apiGroups:  
  - apps  
  resources:  
  - deployments  
  - daemonsets  
  - statefulsets  
  - replicasets  
  verbs:  
  - get  
  - list  
- apiGroups:  
  - batch  
  resources:  
  - jobs  
  verbs:  
  - get  
  - list  
---  
apiVersion: rbac.authorization.k8s.io/v1  
kind: ClusterRoleBinding  
metadata:  
 name: full-access-binding  
subjects:  
- kind: Group  
  name: full-access-group  
  apiGroup: rbac.authorization.k8s.io  
roleRef:  
 kind: ClusterRole  
 name: full-access-clusterrole  
 apiGroup: rbac.authorization.k8s.io  
EOF
          • Permission to view resources for a specific namespace - As the namespace set to the file is 'default', specify the namespace you want and edit it. The group name is 'restricted-access-group', and this needs to be set to IAM user groups in the 'ncp-auth' ConfigMap.
          
|$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -|

apiVersion: rbac.authorization.k8s.io/v1  
kind: ClusterRole  
metadata:  
  name: restricted-access-clusterrole  
rules:  
- apiGroups:  
  - ""  
  resources:  
  - nodes  
  - namespaces  
  verbs:  
  - get  
  - list  
---  
apiVersion: rbac.authorization.k8s.io/v1  
kind: ClusterRoleBinding  
metadata:  
  name: restricted-access-clusterrole-binding  
subjects:  
- kind: Group  
  name: restricted-access-group  
  apiGroup: rbac.authorization.k8s.io  
roleRef:  
  kind: ClusterRole  
  name: restricted-access-clusterrole  
  apiGroup: rbac.authorization.k8s.io  
---  
apiVersion: rbac.authorization.k8s.io/v1  
kind: Role  
metadata:  
  namespace: default  
  name: restricted-access-role  
rules:  
- apiGroups:  
  - ""  
  resources:  
  - pods  
  verbs:  
  - get  
  - list  
- apiGroups:  
  - apps  
  resources:  
  - deployments  
  - daemonsets  
  - statefulsets  
  - replicasets  
  verbs:  
  - get  
  - list  
- apiGroups:  
  - batch  
  resources:  
  - jobs  
  verbs:  
  - get  
  - list  
---  
apiVersion: rbac.authorization.k8s.io/v1  
kind: RoleBinding  
metadata:  
  name: restricted-access-role-binding  
  namespace: default  
subjects:  
- kind: Group  
  name: restricted-access-group  
  apiGroup: rbac.authorization.k8s.io  
roleRef:  
  kind: Role  
  name: restricted-access-role  
  apiGroup: rbac.authorization.k8s.io  
EOF

          Authenticating all without registering them in mapSubAccounts

          1. If you add the 'authenticateAll' value to the 'ncp-auth' ConfigMap as "true", all SubAccount accounts are authenticated even if they are not added to mapSubAccounts.
          
|$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -|

apiVersion: v1  
kind: ConfigMap  
metadata:  
  name: ncp-auth  
  namespace: kube-system  
data:  
  authenticateAll: "true"  
EOF
          1. Authenticated users must use 'RoleBinding' or 'ClusterRoleBinding' to ensure that Kubernetes users or groups are bound to a Kubernetes role in the same way as SubAccount users are added to the cluster.

          Using SubAccount Group as Kubernetes Group

          1. SubAccount users belonging to the SubAccount group will be included in the Kubernetes group to which 'ncp-sub-account-group:' is added as a prefix.
          2. An example of granting full-access-clusterrole to all users belonging to the SubAccount group called full-access is as follows:
          
|$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -|

apiVersion: rbac.authorization.k8s.io/v1  
kind: ClusterRole  
metadata:  
 name: full-access-clusterrole  
rules:  
- apiGroups:  
  - ""  
  resources:  
  - nodes  
  - namespaces  
  - pods  
  verbs:  
  - get  
  - list  
- apiGroups:  
  - apps  
  resources:  
  - deployments  
  - daemonsets  
  - statefulsets  
  - replicasets  
  verbs:  
  - get  
  - list  
- apiGroups:  
  - batch  
  resources:  
  - jobs  
  verbs:  
  - get  
  - list  
---  
apiVersion: rbac.authorization.k8s.io/v1  
kind: ClusterRoleBinding  
metadata:  
 name: full-access-binding  
subjects:  
- kind: Group  
  name: ncp-sub-account-group:full-access  
  apiGroup: rbac.authorization.k8s.io  
roleRef:  
 kind: ClusterRole  
 name: full-access-clusterrole  
 apiGroup: rbac.authorization.k8s.io  
EOF
          Was this article helpful?
          What's Next
          Change password!
          Changing your password will log you out immediately. Use the new password to log back in.
          Change profile
          Success!
          First name must have atleast 2 characters. Numbers and special characters are not allowed.
          Last name must have atleast 1 characters. Numbers and special characters are not allowed.
          Enter a valid email
          Enter a valid password
          Your profile has been successfully updated.
          Logout