Menu
I have a hard time trying to set up my (test) Kubernetes cluster so that it have a few users and a few namespaces, and a user can only see specific namespaces. Is there a way to do that? If yes, what is needed to
830
To achieve this, you have to create Roles (or a ClusterRole) and RoleBindings in those namespaces that you want to grant access to the users. Here is how you can grant access to all resources for the dev-team user in the dev and qa namespace but deny access to any resources in any other namespace.
There is no limit on number of namespaces. You can create as many as you want. It doesn't actually consume cluster resources like cpu, memory etc.
Kubernetes doesn't manage users. Normal users are assumed to be managed by an outside, independent service like LDAP or Active Directory. In a standard installation of Kubernetes (i.e., using kubeadm), authentication is done via standard transport level security (TLS) certificates.
kube-node-lease This namespace for the lease objects associated with each node which improves the performance of the node heartbeats as the cluster scales. To set the namespace for a current request, use the --namespace flag. You can permanently save the namespace for all subsequent kubectl commands in that context.
You can list the current namespaces in a cluster using: Kubernetes starts with four initial namespaces: kube-public This namespace is created automatically and is readable by all users (including those not authenticated).
Before digging into how to use namespaces to prepare your Kubernetes cluster to become multi-tenant-ready, you need to know what namespaces are. A namespace is a Kubernetes object that partitions a Kubernetes cluster into multiple virtual clusters. This is done with the aid of Kubernetes names and IDs.
Namespaces are intended for use in environments with many users spread across multiple teams, or projects. For clusters with a few to tens of users, you should not need to create or think about namespaces at all. Start using namespaces when you need the features they provide.
You could setup ABAC (http://kubernetes.io/docs/admin/authorization/) and limit users to namespaces:
In the policy file you would have something like this if your user was bob and you wanted to limit him to the namespace projectCaribou:
{
"apiVersion": "abac.authorization.kubernetes.io/v1beta1",
"kind": "Policy",
"spec": {
"namespace": "projectCaribou",
"readonly": true,
"resource": "pods",
"user": "bob"
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
