How can I create additional user on Kubernetes so that he/she can access Kubernetes cluster both from web-ui and CLI (kubectl) and allow that user to administrate a specific namespace?
Asked
Active
Viewed 350 times
0
-
http://stackoverflow.com/q/35664218/1068283 – Michael Hampton Mar 14 '17 at 07:43
2 Answers
0
Kelsey Hightower gives a good explanation of this in his talk "Container management and deployment: from development to production", he explains limiting a user to namespaces when talking about "managing development environments" around the 21m 56s mark around the 21m 56s mark.
The basic idea is that you need to use Resource Quotas.
Simon I
- 101
0
There are two methods for authorization that Kubernetes provides natively that can be used to have users who can only access specific namespaces.
Attribute Based Access Control (ABAC) is a static file which lists user rights, it has some downsides though, like the requirement for the API server to be restarted whenever you change a user's rights.
Role Based Access Control is likely your best option for this. It's a little complex to setup, but you can use it to restrict users rights to specific namespaces.
That said it's worth noting that as of Kubernetes 1.6, it's not considered by the maintainers to be ready for multi-tenant operation, as there are likely ways that a malicious user with access to one namespace could get access to other namespaces.
Rory McCune
- 544
- 4
- 13