- Print
- PDF
Managing IAM authentication user
- Print
- PDF
The latest service changes have not yet been reflected in this content. We will update the content as soon as possible. Please refer to the Korean version for information on the latest updates.
Available in VPC
Once a Ncloud Kubernetes Service cluster is created, Sub Account that created the cluster and Main account will be automatically set to the 'system:masters' group in the cluster RBAC configuration, but this setting is not displayed in the cluster information or ConfigMap. In order to give permissions to use a cluster to an IAM user, 'ncp-auth' ConfigMap must be registered in the 'kube-system' namespace.
It can be set when 'ncp-iam-authenticaotor' is installed, and kubeconfig is created. See Install ncp-iam-authenticator, Create IAM authentication kubeconfig.
Add IAM user to cluster
- 'kubectl' credentials must be composed of Sub Account that created the cluster or Main account.
- Create 'ncp-auth' ConfigMap.
$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
name: ncp-auth
namespace: kube-system
data:
mapSubAccounts: |
- subAccountIdNo: <iam-user-idno>
username: <username>
groups:
- <groups>
EOF
- ConfigMap's IAM user parameters are as follows:
- subaccountIdNo: the ID of the SubAccount user to be added that can be checked on the SubAccount console
- username: the name of the user to be mapped to the IAM user in Kubernetes
- groups: list of groups to be mapped to users in Kubernetes For more information, see Default roles and role bindings.
- Check the applied user list through 'ncloud.com/applied-ncp-auth' annotation in 'ncp-auth' ConfigMap.
$ kubectl --kubeconfig $KUBE_CONFIG -n kube-system get configmap ncp-auth -o yaml
...
metadata:
annotations:
ncloud.com/applied-ncp-auth: '[{"SubAccountIdNo":"<iam-user-idno>","Username":"<username>","Groups":["<groups>"]}]'
...
- Check if the IAM user, or the user or user group with a role mapped, is bound to a Kubernetes role by using 'RoleBinding' or 'ClusterRoleBinding'. For more information, see Using RBAC Authorization of the Kubernetes document.
- Permission to view resources in all namespaces - The group name is 'full-access-group', and this needs to be mapped to the IAM user groups in the 'ncp-auth' ConfigMap.
|$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -|
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: full-access-clusterrole
rules:
- apiGroups:
- ""
resources:
- nodes
- namespaces
- pods
verbs:
- get
- list
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
- replicasets
verbs:
- get
- list
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: full-access-binding
subjects:
- kind: Group
name: full-access-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: full-access-clusterrole
apiGroup: rbac.authorization.k8s.io
EOF
- Permission to view resources for a specific namespace - As the namespace set to the file is 'default', specify the namespace you want and edit it. The group name is 'restricted-access-group', and this needs to be set to IAM user groups in the 'ncp-auth' ConfigMap.
|$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -|
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: restricted-access-clusterrole
rules:
- apiGroups:
- ""
resources:
- nodes
- namespaces
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: restricted-access-clusterrole-binding
subjects:
- kind: Group
name: restricted-access-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: restricted-access-clusterrole
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: restricted-access-role
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
- replicasets
verbs:
- get
- list
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: restricted-access-role-binding
namespace: default
subjects:
- kind: Group
name: restricted-access-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: restricted-access-role
apiGroup: rbac.authorization.k8s.io
EOF
Authenticating all without registering them in mapSubAccounts
- If you add the 'authenticateAll' value to the 'ncp-auth' ConfigMap as "true", all SubAccount accounts are authenticated even if they are not added to mapSubAccounts.
|$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -|
apiVersion: v1
kind: ConfigMap
metadata:
name: ncp-auth
namespace: kube-system
data:
authenticateAll: "true"
EOF
- Authenticated users must use 'RoleBinding' or 'ClusterRoleBinding' to ensure that Kubernetes users or groups are bound to a Kubernetes role in the same way as SubAccount users are added to the cluster.
Using SubAccount Group as Kubernetes Group
- SubAccount users belonging to the SubAccount group will be included in the Kubernetes group to which 'ncp-sub-account-group:' is added as a prefix.
- An example of granting full-access-clusterrole to all users belonging to the SubAccount group called full-access is as follows:
|$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -|
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: full-access-clusterrole
rules:
- apiGroups:
- ""
resources:
- nodes
- namespaces
- pods
verbs:
- get
- list
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
- replicasets
verbs:
- get
- list
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: full-access-binding
subjects:
- kind: Group
name: ncp-sub-account-group:full-access
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: full-access-clusterrole
apiGroup: rbac.authorization.k8s.io
EOF