Managing IAM authentication user
- Print
- PDF
Managing IAM authentication user
- Print
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
Available in VPC
Once a Ncloud Kubernetes Service cluster is created, Sub Account that created the cluster and Main account will be automatically set to the 'system:masters' group in the cluster RBAC configuration, but this setting is not displayed in the cluster information or ConfigMap. In order to give permissions to use a cluster to an IAM user, 'ncp-auth' ConfigMap must be registered in the 'kube-system' namespace.
Note
It can be set when 'ncp-iam-authenticaotor' is installed, and kubeconfig is created. See Install ncp-iam-authenticator, Create IAM authentication kubeconfig.
Add IAM user to cluster
- 'kubectl' credentials must be composed of Sub Account that created the cluster or Main account.
- Create 'ncp-auth' ConfigMap.
$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
name: ncp-auth
namespace: kube-system
data:
mapSubAccounts: |
- subAccountIdNo: <iam-user-idno>
username: <username>
groups:
- <groups>
EOF
- ConfigMap's IAM user parameters are as follows:
- subaccountIdNo: the ID of the SubAccount user to be added that can be checked on the SubAccount console
- username: the name of the user to be mapped to the IAM user in Kubernetes
- groups: list of groups to be mapped to users in Kubernetes For more information, see Default roles and role bindings.
- Check the applied user list through 'ncloud.com/applied-ncp-auth' annotation in 'ncp-auth' ConfigMap.
$ kubectl --kubeconfig $KUBE_CONFIG -n kube-system get configmap ncp-auth -o yaml
...
metadata:
annotations:
ncloud.com/applied-ncp-auth: '[{"SubAccountIdNo":"<iam-user-idno>","Username":"<username>","Groups":["<groups>"]}]'
...
- Check if the IAM user, or the user or user group with a role mapped, is bound to a Kubernetes role by using 'RoleBinding' or 'ClusterRoleBinding'. For more information, see Using RBAC Authorization of the Kubernetes document.
- Permission to view resources in all namespaces - The group name is 'full-access-group', and this needs to be mapped to the IAM user groups in the 'ncp-auth' ConfigMap.
|$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -|
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: full-access-clusterrole
rules:
- apiGroups:
- ""
resources:
- nodes
- namespaces
- pods
verbs:
- get
- list
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
- replicasets
verbs:
- get
- list
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: full-access-binding
subjects:
- kind: Group
name: full-access-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: full-access-clusterrole
apiGroup: rbac.authorization.k8s.io
EOF
- Permission to view resources for a specific namespace - As the namespace set to the file is 'default', specify the namespace you want and edit it. The group name is 'restricted-access-group', and this needs to be set to IAM user groups in the 'ncp-auth' ConfigMap.
|$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -|
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: restricted-access-clusterrole
rules:
- apiGroups:
- ""
resources:
- nodes
- namespaces
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: restricted-access-clusterrole-binding
subjects:
- kind: Group
name: restricted-access-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: restricted-access-clusterrole
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: restricted-access-role
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
- replicasets
verbs:
- get
- list
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: restricted-access-role-binding
namespace: default
subjects:
- kind: Group
name: restricted-access-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: restricted-access-role
apiGroup: rbac.authorization.k8s.io
EOF
Authenticating all without registering them in mapSubAccounts
- If you add the 'authenticateAll' value to the 'ncp-auth' ConfigMap as "true", all SubAccount accounts are authenticated even if they are not added to mapSubAccounts.
|$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -|
apiVersion: v1
kind: ConfigMap
metadata:
name: ncp-auth
namespace: kube-system
data:
authenticateAll: "true"
EOF
- Authenticated users must use 'RoleBinding' or 'ClusterRoleBinding' to ensure that Kubernetes users or groups are bound to a Kubernetes role in the same way as SubAccount users are added to the cluster.
Using SubAccount Group as Kubernetes Group
- SubAccount users belonging to the SubAccount group will be included in the Kubernetes group to which 'ncp-sub-account-group:' is added as a prefix.
- An example of granting full-access-clusterrole to all users belonging to the SubAccount group called full-access is as follows:
|$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f -|
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: full-access-clusterrole
rules:
- apiGroups:
- ""
resources:
- nodes
- namespaces
- pods
verbs:
- get
- list
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
- replicasets
verbs:
- get
- list
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: full-access-binding
subjects:
- kind: Group
name: ncp-sub-account-group:full-access
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: full-access-clusterrole
apiGroup: rbac.authorization.k8s.io
EOF
Was this article helpful?