Available in VPC
When creating a cluster, both the SubAccount that created the cluster and the main account are automatically set as the system:masters group within the cluster's RBAC configuration. This setting is not displayed in the cluster information or ConfigMaps. In order to give usage permissions a cluster to an IAM user, ncp-auth ConfigMap must be registered in the kube-system namespace.
Note
You can configure this when the ncp-iam-authenticator is installed and the kubeconfig is created. See Install ncp-iam-authenticator, and Create IAM authentication kubeconfig.
Add IAM user to cluster
- The kubectl credentials must be configured with the SubAccount user who created the cluster or the main account.
- Create
ncp-authConfigMap.
$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
name: ncp-auth
namespace: kube-system
data:
mapSubAccounts: |
- subAccountIdNo: <iam-user-idno>
username: <username>
groups:
- <groups>
EOF
- ConfigMap's IAM user parameters are as follows:
- subaccountIdNo: the ID of the SubAccount user to be added that can be checked on the SubAccount console
- username: the name of the user to be mapped to the IAM user in Kubernetes
- groups: list of groups to be mapped to users in Kubernetes For more details, see Default roles and role bindings.
ncp-authYou can check the list of applied users through the ncloud.com/applied-ncp-auth annotation in the ConfigMap.
$ kubectl --kubeconfig $KUBE_CONFIG -n kube-system get configmap ncp-auth -o yaml
...
metadata:
annotations:
ncloud.com/applied-ncp-auth: '[{"SubAccountIdNo":"<iam-user-idno>","Username":"<username>","Groups":["<groups>"]}]'
...
- Check if the IAM user, or the user or user group with a role mapped, is bound to a Kubernetes role by using RoleBinding or ClusterRoleBinding. For more information, see Using RBAC Authorization in the Kubernetes documents.
- Permission to view resources in all namespaces - The group name is full-access-group, and this needs to be mapped to the IAM user groups in the
ncp-authConfigMap.
Note
- Full-access-group holds many permissions, but it is not the master authority for the cluster manager.
- If the cluster master authority is needed, you can map the relevant user to the system:masters group offered by default.
$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: full-access-clusterrole
rules:
- apiGroups:
- ""
resources:
- nodes
- namespaces
- pods
verbs:
- get
- list
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
- replicasets
verbs:
- get
- list
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: full-access-binding
subjects:
- kind: Group
name: full-access-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: full-access-clusterrole
apiGroup: rbac.authorization.k8s.io
EOF
- Permission to view resources for a specific namespace - As the namespace set to the file is restricted-access-group, specify the namespace you want and edit it. The group name is restricted-access-group, and this needs to be mapped to IAM user groups in the
ncp-authConfigMap.
$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: restricted-access-clusterrole
rules:
- apiGroups:
- ""
resources:
- nodes
- namespaces
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: restricted-access-clusterrole-binding
subjects:
- kind: Group
name: restricted-access-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: restricted-access-clusterrole
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: restricted-access-role
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
- replicasets
verbs:
- get
- list
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: restricted-access-role-binding
namespace: default
subjects:
- kind: Group
name: restricted-access-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: restricted-access-role
apiGroup: rbac.authorization.k8s.io
EOF
Authenticate all without registering them in mapSubAccounts
- If you add the authenticateAll value to the
ncp-authConfigMap as true, all SubAccount accounts are authenticated even if they are not added to mapSubAccounts.
$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
name: ncp-auth
namespace: kube-system
data:
authenticateAll: "true"
EOF
- Authenticated users must use RoleBinding or ClusterRoleBinding to ensure that Kubernetes users or groups are bound to a Kubernetes role in the same way as SubAccount users are added to the cluster.
Use SubAccount group as Kubernetes group
- SubAccount users belonging to the SubAccount group will be included in the Kubernetes group to which ncp-sub-account-group: is added as a prefix.
- An example of granting full-access-clusterrole to all users belonging to the SubAccount group called full-access is as follows:
$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: full-access-clusterrole
rules:
- apiGroups:
- ""
resources:
- nodes
- namespaces
- pods
verbs:
- get
- list
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
- replicasets
verbs:
- get
- list
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: full-access-binding
subjects:
- kind: Group
name: ncp-sub-account-group:full-access
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: full-access-clusterrole
apiGroup: rbac.authorization.k8s.io
EOF