From 42a226404f85e97aaf7fb74cbe97acd9270e0574 Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Mon, 2 Jun 2025 15:57:59 +0200 Subject: [PATCH 1/7] feat(k8s): iam and rbac --- .../how-to/manage-kubeconfig-with-iam.mdx | 60 +++++ ...set-iam-permissions-and-implement-rbac.mdx | 233 ++++++++++++++++++ 2 files changed, 293 insertions(+) create mode 100644 pages/kubernetes/how-to/manage-kubeconfig-with-iam.mdx create mode 100644 pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx diff --git a/pages/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/pages/kubernetes/how-to/manage-kubeconfig-with-iam.mdx new file mode 100644 index 0000000000..039f65c001 --- /dev/null +++ b/pages/kubernetes/how-to/manage-kubeconfig-with-iam.mdx @@ -0,0 +1,60 @@ +--- +meta: + title: How to manage Kubeconfig files with IAM + description: This page explains how to manage Scaleway Kubeconfig files with IAM +content: + h1: How to manage Kubeconfig files with IAM + paragraph: This page explains how to manage Scaleway Kubeconfig files with IAM +tags: kubernetes kapsule-cluser +dates: + validation: 2025-06-02 + posted: 2025-06-02 +categories: + - kubernetes +--- + +A Kubeconfig file serves as a repository for essential credentials required to access a Kubernetes cluster and manage deployments. +This file contains critical information, including cluster details, authentication data, and context information, allowing users to oversee and configure their Kubernetes clusters. + +Scaleway's Identity and Access Management (IAM) is now being used to generate Kubeconfig files. This integration offers several advantages: + +- **Improved user administration:** + - When removing a cluster user, there is no longer a need to reset the admin token, mitigating security risks. +- **Increased cluster security:** + - Each user has unique credentials, enhancing security. + - Audit logs facilitate the identification of specific Kubernetes users. +- **Enhanced application security:** + - Applications within the cluster are authenticated using specific tokens. + - This authentication method is particularly useful when a pod needs to interact with the Kubernetes API, as it can authenticate using its associated [Service Account](https://kubernetes.io/docs/concepts/security/service-accounts/). + +[Identity and Access Management (IAM)](/iam/concepts/#iam) provides control over resource access. IAM policies enable the configuration of permissions for Kubernetes Kapsule clusters at the Project level. + +An [IAM policy](/iam/concepts/#policy) defines the permissions for users, groups, and applications within an Organization. It consists of a [principal](/iam/concepts/#principal) (the user, group, or application to which it applies) and IAM rules that specify permission sets and their scope. + +The [combination of IAM and Kubernetes RBAC (Role-based Acccess Control)](/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) allows you to define fine-grained access levels for cluster users. + + + + + - A Scaleway account logged into the [console](https://console.scaleway.com) + - [Created](/kubernetes/how-to/create-cluster) a Kubernetes Kapsule cluster + + +## Setting up access + +1. [Create a group](/iam/how-to/create-group/) named `k8s-group` that contains the user and the application, so they are the only ones to have access to your cluster. +2. [Create an IAM policy](/iam/how-to/create-policy/) named `k8s-policy` in the Scaleway console, with the previously created group as a [principal](/iam/concepts/#principal). Apply the corresponding IAM policy to the group. For example, `KubernetesFullAccess`. + + Refer to [Setting IAM permissions and implement RBAC on a cluster](/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) for a detailed overview about the available IAM permissions and how to fine-tune them using Kubernetes RBAC. + + +## Downloading the Kubeconfig file + +1. Click **Kubernetes** in the **Containers** section of the [Scaleway console](https://console.scaleway.com) side menu. The Kubernetes Kapsule overview displays. +2. Click the name of the cluster you want to access. The cluster overview page displays. Click on the name of the cluster you want to manage. +3. Scroll down to the **Download kubeconfig with IAM** section of the page. +4. Click **Download kubeconfig** +5. Select the API key bearer, enter a description and set the expiration date for the kubeconfig file, then click **Generate kubeconfig**. +6. Download the kubeconfig file and export the path to start using it with `kubectl`. + +You can now manage your cluster using `kubectl`. For more information about this tool, refer to the [official kubectl documentation](https://kubernetes.io/docs/reference/kubectl/). \ No newline at end of file diff --git a/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx b/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx new file mode 100644 index 0000000000..80debd9bb5 --- /dev/null +++ b/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx @@ -0,0 +1,233 @@ +--- +meta: + title: Setting IAM permissions and implement RBAC on a cluster + description: This page explains how to set IAM permissions and implement RBAC on a Scaleway Kubernetes cluster +content: + h1: Setting IAM permissions and implement RBAC on a cluster + paragraph: This page explains how to set IAM permissions and implement RBAC on a Scaleway Kubernetes cluster +tags: kubernetes kapsule-cluser +dates: + validation: 2025-06-02 + posted: 2025-06-02 +categories: + - kubernetes +--- + +Role-based access control (RBAC) is a native feature of Kubernetes and a method of regulating access to compute or network resources based on the roles of individual users within your Organization. +The feature is activated on Scaleway Kubernetes Kapsule and Kosmos by default and is compatible with Scaleway's IAM service. +IAM and RBAC work together by integrating Scaleway’s Identity and Access Management with Kubernetes' native RBAC system. This integration ensures that access permissions are consistent across both the cloud infrastructure and the Kubernetes cluster, providing a secure access control mechanism. +It allows you to assign roles to users, groups or `ServicesAccount` via `RoleBindings` and `ClusterRoleBindings`. + +Key components of RBAC in Kubernetes include: + +- **Roles and ClusterRoles:** + - **Roles:** These are specific to a namespace and define a set of permissions for resources within that namespace (e.g., pods, services). + - **ClusterRoles:** These are similar to roles but apply cluster-wide, spanning across all namespaces. +- **RoleBindings and ClusterRoleBindings:** + - **RoleBindings:** These associate a set of permissions defined in a role with a user, group, or service account within a specific namespace. + - **ClusterRoleBindings:** These associate a set of permissions defined in a ClusterRole with a user, group, or service account across the entire cluster. +- **Subjects:** A subject in RBAC can be a user, a group, or a service account to which roles or cluster roles are bound. +- **Rules:** Rules are sets of permissions associated with roles or cluster roles. They specify what actions are allowed or denied on specific resources. + +RBAC works seamlessly with Scaleway's IAM (Identity and Access Maanagement) system. Refer to [How to manage Kubeconfig files with IAM](/containers/kubernetes/how-to/manage-kubeconfig-with-iam/) for information how to configure IAM permissions for your users. + +### Mapping IAM permission sets to Kubernetes groups + +The following IAM permission sets are mapped to Kubernetes groups: + +| IAM Permission Set | Kubernetes Group | Notes | +|----------------------------------|-----------------------------|--------------------------| +| KubernetesFullAccess | scaleway:cluster-write | | +| | scaleway:cluster-read | | +| KubernetesReadOnly | scaleway:cluster-read | | +| KubernetesSystemMastersGroupAccess | system:masters | God mode | + +### Default ClusterRoleBindings + +Default `ClusterRoleBinding` and `ClusterRole` configurations have been set up: + +| Group | ClusterRoleBinding | ClusterRole | +|----------------------------------|-----------------------------|--------------------------| +| scaleway:cluster-write | scaleway:cluster-write | scaleway:cluster-write | +| scaleway:cluster-read | scaleway:cluster-read | scaleway:cluster-read | + +These groups can be edited and will not be reconciled by Kapsule/Kosmos. If these roles are misconfigured and cut off access to the cluster, the IAM permission set `KubernetesSystemMastersGroupAccess` should be assigned to the application or user. This permission set allows bypassing the entire RBAC layer. + +Users or applications can be added to zero, one, or more IAM groups. IAM groups are mapped to Kubernetes groups in the format `scaleway:groups:GROUPID`. + +**Example:** + +```bash +$ kubectl auth whoami +ATTRIBUTE VALUE +Username scaleway:bearer:dea0a399-af6e-4e8b-b2dd-32c9a26a174b +UID dea0a399-af6e-4e8b-b2dd-32c9a26a174b +Groups [scaleway:group:d4f154d6-a93c-4bab-a599-5f3803bd5120 scaleway:cluster-read system:authenticated] +``` + +## Creating a developers group with write access to dev and staging namespaces + +1. Create an IAM developers group: + - Assign the `KubernetesReadOnly` permission set to this group. + - Note the group ID, as it will be needed later. + +2. Create Namespaces and Roles: + - As a user/app with `KubernetesFullAccess` or `KubernetesSystemMastersGroupAccess`, create the following manifests: + +Namespace Creation: + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: dev +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging +``` + +Role Creation for dev namespace: + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: developers + namespace: dev +rules: +- apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] +- nonResourceURLs: ["*"] + verbs: ["*"] +``` + +RoleBinding Creation for dev namespace: + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: developers + namespace: dev +subjects: +- kind: Group + name: scaleway:groups: +roleRef: + kind: Role + name: developers + apiGroup: rbac.authorization.k8s.io +``` + +Repeat the same operation for the staging namespace. + +3. Apply the Manifests: + +```bash +kubectl apply -f filename.yaml +``` + +After these steps, members of the IAM group will have read access to the cluster and write access to the `dev` and `staging` namespaces. Permissions can be refined by modifying the `Role`. + +## Assigning permissions to a specific user without using a group + +1. **Assign the `KubernetesReadOnly` Permission Set to the User**. +2. **Retrieve the IAM User ID** and note it. +3. **Create the Following Manifests**: + +Namespace creation: + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: demo-sandbox +``` + +Role creation for an example namespace: + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: example + namespace: example-sandbox +rules: +- apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] +- nonResourceURLs: ["*"] + verbs: ["*"] +``` + +RoleBinding creation for the example namespace: + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: example + namespace: example-sandbox +subjects: +- kind: User + name: scaleway:bearer: +roleRef: + kind: Role + name: demo + apiGroup: rbac.authorization.k8s.io +``` + +4. Apply the manifests: + +```bash +kubectl apply -f filename.yaml +``` + +User "demo" now has full rights in the `example-sandbox` namespace. + +## Limiting `cluster-read` Access + +To modify the `scaleway:cluster-read` permissions, use the following command: + +```bash +kubectl edit clusterrole scaleway:cluster-read +``` + +Default content: + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scaleway:cluster-read +rules: +- verbs: ["get", "list", "watch"] + apiGroups: [""] + resources: ["bindings", "configmaps", "endpoints", "events", "limitranges", "namespaces", "namespaces/status", "nodes", "persistentvolumeclaims", "persistentvolumeclaims/status", "pods", "pods/log", "pods/status", "replicationcontrollers", "replicationcontrollers/scale", "replicationcontrollers/status", "resourcequotas", "resourcequotas/status", "serviceaccounts", "services", "services/status"] +- verbs: ["get", "list", "watch"] + apiGroups: ["metrics.k8s.io"] + resources: ["pods", "nodes"] +- verbs: ["get", "list", "watch"] + apiGroups: ["apps"] + resources: ["controllerrevisions", "daemonsets", "daemonsets/status", "deployments", "deployments/scale", "deployments/status", "replicasets", "replicasets/scale", "replicasets/status", "statefulsets", "statefulsets/scale", "statefulsets/status"] +- verbs: ["get", "list", "watch"] + apiGroups: ["autoscaling"] + resources: ["horizontalpodautoscalers", "horizontalpodautoscalers/status"] +- verbs: ["get", "list", "watch"] + apiGroups: ["batch"] + resources: ["cronjobs", "cronjobs/status", "jobs", "jobs/status"] +- verbs: ["get", "list", "watch"] + apiGroups: ["extensions"] + resources: ["daemonsets", "daemonsets/status", "deployments", "deployments/scale", "deployments/status", "ingresses", "ingresses/status", "networkpolicies", "replicasets", "replicasets/scale", "replicasets/status", "replicationcontrollers/scale"] +- verbs: ["get", "list", "watch"] + apiGroups: ["policy"] + resources: ["poddisruptionbudgets", "poddisruptionbudgets/status"] +- verbs: ["get", "list", "watch"] + apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingresses/status", "networkpolicies"] +- verbs: ["get", "list", "watch"] + apiGroups: ["rbac.authorization.k8s.io"] + resources: ["rolebindings", "roles"] +``` \ No newline at end of file From f26c3ca608262850b45710fc1bd8e4000a2479ea Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Tue, 3 Jun 2025 13:33:53 +0200 Subject: [PATCH 2/7] feat(k8s): iam --- menu/navigation.json | 4 + .../how-to/manage-kubeconfig-with-iam.mdx | 60 ----- ...set-iam-permissions-and-implement-rbac.mdx | 243 +++++++++--------- 3 files changed, 128 insertions(+), 179 deletions(-) delete mode 100644 pages/kubernetes/how-to/manage-kubeconfig-with-iam.mdx diff --git a/menu/navigation.json b/menu/navigation.json index 7d48e8856e..36df8b7f53 100644 --- a/menu/navigation.json +++ b/menu/navigation.json @@ -1999,6 +1999,10 @@ "label": "Exposing Kubernetes services to the internet", "slug": "exposing-services" }, + { + "label": "Setting IAM permissions and implement RBAC on a cluster", + "slug": "set-iam-permissions-and-implement-rbac" + }, { "label": "Modifying kernel parameters in a Kubernetes cluster using a DaemonSet", "slug": "modifying-kernel-parameters-kubernetes-cluster" diff --git a/pages/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/pages/kubernetes/how-to/manage-kubeconfig-with-iam.mdx deleted file mode 100644 index 039f65c001..0000000000 --- a/pages/kubernetes/how-to/manage-kubeconfig-with-iam.mdx +++ /dev/null @@ -1,60 +0,0 @@ ---- -meta: - title: How to manage Kubeconfig files with IAM - description: This page explains how to manage Scaleway Kubeconfig files with IAM -content: - h1: How to manage Kubeconfig files with IAM - paragraph: This page explains how to manage Scaleway Kubeconfig files with IAM -tags: kubernetes kapsule-cluser -dates: - validation: 2025-06-02 - posted: 2025-06-02 -categories: - - kubernetes ---- - -A Kubeconfig file serves as a repository for essential credentials required to access a Kubernetes cluster and manage deployments. -This file contains critical information, including cluster details, authentication data, and context information, allowing users to oversee and configure their Kubernetes clusters. - -Scaleway's Identity and Access Management (IAM) is now being used to generate Kubeconfig files. This integration offers several advantages: - -- **Improved user administration:** - - When removing a cluster user, there is no longer a need to reset the admin token, mitigating security risks. -- **Increased cluster security:** - - Each user has unique credentials, enhancing security. - - Audit logs facilitate the identification of specific Kubernetes users. -- **Enhanced application security:** - - Applications within the cluster are authenticated using specific tokens. - - This authentication method is particularly useful when a pod needs to interact with the Kubernetes API, as it can authenticate using its associated [Service Account](https://kubernetes.io/docs/concepts/security/service-accounts/). - -[Identity and Access Management (IAM)](/iam/concepts/#iam) provides control over resource access. IAM policies enable the configuration of permissions for Kubernetes Kapsule clusters at the Project level. - -An [IAM policy](/iam/concepts/#policy) defines the permissions for users, groups, and applications within an Organization. It consists of a [principal](/iam/concepts/#principal) (the user, group, or application to which it applies) and IAM rules that specify permission sets and their scope. - -The [combination of IAM and Kubernetes RBAC (Role-based Acccess Control)](/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) allows you to define fine-grained access levels for cluster users. - - - - - - A Scaleway account logged into the [console](https://console.scaleway.com) - - [Created](/kubernetes/how-to/create-cluster) a Kubernetes Kapsule cluster - - -## Setting up access - -1. [Create a group](/iam/how-to/create-group/) named `k8s-group` that contains the user and the application, so they are the only ones to have access to your cluster. -2. [Create an IAM policy](/iam/how-to/create-policy/) named `k8s-policy` in the Scaleway console, with the previously created group as a [principal](/iam/concepts/#principal). Apply the corresponding IAM policy to the group. For example, `KubernetesFullAccess`. - - Refer to [Setting IAM permissions and implement RBAC on a cluster](/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) for a detailed overview about the available IAM permissions and how to fine-tune them using Kubernetes RBAC. - - -## Downloading the Kubeconfig file - -1. Click **Kubernetes** in the **Containers** section of the [Scaleway console](https://console.scaleway.com) side menu. The Kubernetes Kapsule overview displays. -2. Click the name of the cluster you want to access. The cluster overview page displays. Click on the name of the cluster you want to manage. -3. Scroll down to the **Download kubeconfig with IAM** section of the page. -4. Click **Download kubeconfig** -5. Select the API key bearer, enter a description and set the expiration date for the kubeconfig file, then click **Generate kubeconfig**. -6. Download the kubeconfig file and export the path to start using it with `kubectl`. - -You can now manage your cluster using `kubectl`. For more information about this tool, refer to the [official kubectl documentation](https://kubernetes.io/docs/reference/kubectl/). \ No newline at end of file diff --git a/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx b/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx index 80debd9bb5..ea0e1527e9 100644 --- a/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx +++ b/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx @@ -21,15 +21,20 @@ It allows you to assign roles to users, groups or `ServicesAccount` via `RoleBin Key components of RBAC in Kubernetes include: - **Roles and ClusterRoles:** - - **Roles:** These are specific to a namespace and define a set of permissions for resources within that namespace (e.g., pods, services). - - **ClusterRoles:** These are similar to roles but apply cluster-wide, spanning across all namespaces. + - `Roles`: These are specific to a namespace and define a set of permissions for resources within that namespace (e.g., pods, services). + - `ClusterRoles`: These are similar to roles but apply cluster-wide, spanning across all namespaces. - **RoleBindings and ClusterRoleBindings:** - - **RoleBindings:** These associate a set of permissions defined in a role with a user, group, or service account within a specific namespace. - - **ClusterRoleBindings:** These associate a set of permissions defined in a ClusterRole with a user, group, or service account across the entire cluster. + - `RoleBindings`: These associate a set of permissions defined in a role with a user, group, or service account within a specific namespace. + - `ClusterRoleBindings`: These associate a set of permissions defined in a ClusterRole with a user, group, or service account across the entire cluster. - **Subjects:** A subject in RBAC can be a user, a group, or a service account to which roles or cluster roles are bound. - **Rules:** Rules are sets of permissions associated with roles or cluster roles. They specify what actions are allowed or denied on specific resources. -RBAC works seamlessly with Scaleway's IAM (Identity and Access Maanagement) system. Refer to [How to manage Kubeconfig files with IAM](/containers/kubernetes/how-to/manage-kubeconfig-with-iam/) for information how to configure IAM permissions for your users. +RBAC works seamlessly with Scaleway's IAM (Identity and Access Maanagement) system. [Identity and Access Management (IAM)](/iam/concepts/#iam) provides control over resource access. IAM policies enable the configuration of permissions for Kubernetes Kapsule clusters at the Project level. + +An [IAM policy](/iam/concepts/#policy) defines the permissions for users, groups, and applications within an Organization. It consists of a [principal](/iam/concepts/#principal) (the user, group, or application to which it applies) and IAM rules that specify permission sets and their scope. + +The combination of IAM and Kubernetes RBAC allows you to define fine-grained access levels for cluster users. + ### Mapping IAM permission sets to Kubernetes groups @@ -37,10 +42,10 @@ The following IAM permission sets are mapped to Kubernetes groups: | IAM Permission Set | Kubernetes Group | Notes | |----------------------------------|-----------------------------|--------------------------| -| KubernetesFullAccess | scaleway:cluster-write | | -| | scaleway:cluster-read | | -| KubernetesReadOnly | scaleway:cluster-read | | -| KubernetesSystemMastersGroupAccess | system:masters | God mode | +| `KubernetesFullAccess` | `scaleway:cluster-write` | | +| | `scaleway:cluster-read` | | +| `KubernetesReadOnly` | `scaleway:cluster-read` | | +| `KubernetesSystemMastersGroupAccess` | `system:masters` | God mode | ### Default ClusterRoleBindings @@ -48,8 +53,8 @@ Default `ClusterRoleBinding` and `ClusterRole` configurations have been set up: | Group | ClusterRoleBinding | ClusterRole | |----------------------------------|-----------------------------|--------------------------| -| scaleway:cluster-write | scaleway:cluster-write | scaleway:cluster-write | -| scaleway:cluster-read | scaleway:cluster-read | scaleway:cluster-read | +| `scaleway:cluster-write` | `scaleway:cluster-write` | `scaleway:cluster-write` | +| `scaleway:cluster-read` | `scaleway:cluster-read` | `scaleway:cluster-read` | These groups can be edited and will not be reconciled by Kapsule/Kosmos. If these roles are misconfigured and cut off access to the cluster, the IAM permission set `KubernetesSystemMastersGroupAccess` should be assigned to the application or user. This permission set allows bypassing the entire RBAC layer. @@ -60,134 +65,134 @@ Users or applications can be added to zero, one, or more IAM groups. IAM groups ```bash $ kubectl auth whoami ATTRIBUTE VALUE -Username scaleway:bearer:dea0a399-af6e-4e8b-b2dd-32c9a26a174b -UID dea0a399-af6e-4e8b-b2dd-32c9a26a174b -Groups [scaleway:group:d4f154d6-a93c-4bab-a599-5f3803bd5120 scaleway:cluster-read system:authenticated] +Username scaleway:bearer:de60e2b8-d590-4770-94bc-93b639382fb5 +UID de60e2b8-d590-4770-94bc-93b639382fb5 +Groups [scaleway:group:55eb7ac5-9afe-4e40-8d54-4fbb232cac21 scaleway:cluster-read system:authenticated] ``` ## Creating a developers group with write access to dev and staging namespaces -1. Create an IAM developers group: +1. Create an [IAM group](/iam/how-to/create-group/) called `developers`: - Assign the `KubernetesReadOnly` permission set to this group. - Note the group ID, as it will be needed later. -2. Create Namespaces and Roles: - - As a user/app with `KubernetesFullAccess` or `KubernetesSystemMastersGroupAccess`, create the following manifests: - -Namespace Creation: - -```yaml -apiVersion: v1 -kind: Namespace -metadata: - name: dev ---- -apiVersion: v1 -kind: Namespace -metadata: - name: staging -``` - -Role Creation for dev namespace: - -```yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: developers - namespace: dev -rules: -- apiGroups: ["*"] - resources: ["*"] - verbs: ["*"] -- nonResourceURLs: ["*"] - verbs: ["*"] -``` - -RoleBinding Creation for dev namespace: - -```yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: developers - namespace: dev -subjects: -- kind: Group - name: scaleway:groups: -roleRef: - kind: Role - name: developers - apiGroup: rbac.authorization.k8s.io -``` - -Repeat the same operation for the staging namespace. +2. Create namespaces and roles: + As a user/app with `KubernetesFullAccess` or `KubernetesSystemMastersGroupAccess`, create the following manifests: + + Namespace creation: + + ```yaml + apiVersion: v1 + kind: Namespace + metadata: + name: dev + --- + apiVersion: v1 + kind: Namespace + metadata: + name: staging + ``` + + Role creation for dev namespace: + + ```yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: developers + namespace: dev + rules: + - apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] + - nonResourceURLs: ["*"] + verbs: ["*"] + ``` + + RoleBinding Creation for dev namespace: + + ```yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: developers + namespace: dev + subjects: + - kind: Group + name: scaleway:groups: + roleRef: + kind: Role + name: developers + apiGroup: rbac.authorization.k8s.io + ``` + + Repeat the same operation for the staging namespace. 3. Apply the Manifests: -```bash -kubectl apply -f filename.yaml -``` + ```bash + kubectl apply -f filename.yaml + ``` After these steps, members of the IAM group will have read access to the cluster and write access to the `dev` and `staging` namespaces. Permissions can be refined by modifying the `Role`. ## Assigning permissions to a specific user without using a group -1. **Assign the `KubernetesReadOnly` Permission Set to the User**. -2. **Retrieve the IAM User ID** and note it. -3. **Create the Following Manifests**: - -Namespace creation: - -```yaml -apiVersion: v1 -kind: Namespace -metadata: - name: demo-sandbox -``` - -Role creation for an example namespace: - -```yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: example - namespace: example-sandbox -rules: -- apiGroups: ["*"] - resources: ["*"] - verbs: ["*"] -- nonResourceURLs: ["*"] - verbs: ["*"] -``` - -RoleBinding creation for the example namespace: - -```yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: example - namespace: example-sandbox -subjects: -- kind: User - name: scaleway:bearer: -roleRef: - kind: Role - name: demo - apiGroup: rbac.authorization.k8s.io -``` +1. Assign the `KubernetesReadOnly` Permission Set to the User. +2. Retrieve the **IAM user ID** and note it. +3. Create the following Manifests: + + Namespace creation: + + ```yaml + apiVersion: v1 + kind: Namespace + metadata: + name: demo-sandbox + ``` + + Role creation for an example namespace: + + ```yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: example + namespace: example-sandbox + rules: + - apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] + - nonResourceURLs: ["*"] + verbs: ["*"] + ``` + + RoleBinding creation for the example namespace: + + ```yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: example + namespace: example-sandbox + subjects: + - kind: User + name: scaleway:bearer: + roleRef: + kind: Role + name: demo + apiGroup: rbac.authorization.k8s.io + ``` 4. Apply the manifests: -```bash -kubectl apply -f filename.yaml -``` + ```bash + kubectl apply -f filename.yaml + ``` -User "demo" now has full rights in the `example-sandbox` namespace. + The user "demo" now has full rights in the `example-sandbox` namespace. -## Limiting `cluster-read` Access +## Limiting cluster-read Access To modify the `scaleway:cluster-read` permissions, use the following command: From 6b909fbb3b2856c80fb26966baf46b5de8e815d3 Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Tue, 3 Jun 2025 14:46:04 +0200 Subject: [PATCH 3/7] feat(k8s): iam --- .../set-iam-permissions-and-implement-rbac.mdx | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx b/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx index ea0e1527e9..85ea890d12 100644 --- a/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx +++ b/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx @@ -129,10 +129,9 @@ Groups [scaleway:group:55eb7ac5-9afe-4e40-8d54-4fbb232cac21 scaleway:cluste Repeat the same operation for the staging namespace. 3. Apply the Manifests: - - ```bash - kubectl apply -f filename.yaml - ``` + ```bash + kubectl apply -f filename.yaml + ``` After these steps, members of the IAM group will have read access to the cluster and write access to the `dev` and `staging` namespaces. Permissions can be refined by modifying the `Role`. @@ -186,11 +185,11 @@ After these steps, members of the IAM group will have read access to the cluster 4. Apply the manifests: - ```bash - kubectl apply -f filename.yaml - ``` + ```bash + kubectl apply -f filename.yaml + ``` - The user "demo" now has full rights in the `example-sandbox` namespace. + The user "demo" now has full rights in the `example-sandbox` namespace. ## Limiting cluster-read Access From c11ab1ef533499c88db9f00c911a734d104ebfb6 Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Tue, 3 Jun 2025 16:52:05 +0200 Subject: [PATCH 4/7] Apply suggestions from code review --- .../set-iam-permissions-and-implement-rbac.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx b/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx index 85ea890d12..6f092c3cec 100644 --- a/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx +++ b/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx @@ -45,7 +45,7 @@ The following IAM permission sets are mapped to Kubernetes groups: | `KubernetesFullAccess` | `scaleway:cluster-write` | | | | `scaleway:cluster-read` | | | `KubernetesReadOnly` | `scaleway:cluster-read` | | -| `KubernetesSystemMastersGroupAccess` | `system:masters` | God mode | +| `KubernetesSystemMastersGroupAccess` | `system:masters` | Super-user access to perform any action on any Kubernetes resource, ignoring all RBAC rules | ### Default ClusterRoleBindings From b1cc1fb25ce74f3b93cc71146697a8b8234467a0 Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Tue, 3 Jun 2025 16:57:18 +0200 Subject: [PATCH 5/7] Apply suggestions from code review --- ...set-iam-permissions-and-implement-rbac.mdx | 168 +++++++++++++++--- 1 file changed, 140 insertions(+), 28 deletions(-) diff --git a/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx b/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx index 6f092c3cec..ba01ee8abe 100644 --- a/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx +++ b/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx @@ -205,33 +205,145 @@ Default content: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: scaleway:cluster-read + name: scaleway:cluster-read rules: -- verbs: ["get", "list", "watch"] - apiGroups: [""] - resources: ["bindings", "configmaps", "endpoints", "events", "limitranges", "namespaces", "namespaces/status", "nodes", "persistentvolumeclaims", "persistentvolumeclaims/status", "pods", "pods/log", "pods/status", "replicationcontrollers", "replicationcontrollers/scale", "replicationcontrollers/status", "resourcequotas", "resourcequotas/status", "serviceaccounts", "services", "services/status"] -- verbs: ["get", "list", "watch"] - apiGroups: ["metrics.k8s.io"] - resources: ["pods", "nodes"] -- verbs: ["get", "list", "watch"] - apiGroups: ["apps"] - resources: ["controllerrevisions", "daemonsets", "daemonsets/status", "deployments", "deployments/scale", "deployments/status", "replicasets", "replicasets/scale", "replicasets/status", "statefulsets", "statefulsets/scale", "statefulsets/status"] -- verbs: ["get", "list", "watch"] - apiGroups: ["autoscaling"] - resources: ["horizontalpodautoscalers", "horizontalpodautoscalers/status"] -- verbs: ["get", "list", "watch"] - apiGroups: ["batch"] - resources: ["cronjobs", "cronjobs/status", "jobs", "jobs/status"] -- verbs: ["get", "list", "watch"] - apiGroups: ["extensions"] - resources: ["daemonsets", "daemonsets/status", "deployments", "deployments/scale", "deployments/status", "ingresses", "ingresses/status", "networkpolicies", "replicasets", "replicasets/scale", "replicasets/status", "replicationcontrollers/scale"] -- verbs: ["get", "list", "watch"] - apiGroups: ["policy"] - resources: ["poddisruptionbudgets", "poddisruptionbudgets/status"] -- verbs: ["get", "list", "watch"] - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingresses/status", "networkpolicies"] -- verbs: ["get", "list", "watch"] - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["rolebindings", "roles"] + - verbs: + - get + - list + - watch + apiGroups: + - '' + resources: + - bindings + - configmaps + - endpoints + - events + - limitranges + - namespaces + - namespaces/status + - nodes + - persistentvolumeclaims + - persistentvolumeclaims/status + - pods + - pods/log + - pods/status + - replicationcontrollers + - replicationcontrollers/scale + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + - serviceaccounts + - services + - services/status + + + - verbs: + - get + - list + - watch + apiGroups: + - metrics.k8s.io + resources: + - pods + - nodes + + + - verbs: + - get + - list + - watch + apiGroups: + - apps + resources: + - controllerrevisions + - daemonsets + - daemonsets/status + - deployments + - deployments/scale + - deployments/status + - replicasets + - replicasets/scale + - replicasets/status + - statefulsets + - statefulsets/scale + - statefulsets/status + + + - verbs: + - get + - list + - watch + apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + - horizontalpodautoscalers/status + + + - verbs: + - get + - list + - watch + apiGroups: + - batch + resources: + - cronjobs + - cronjobs/status + - jobs + - jobs/status + + + - verbs: + - get + - list + - watch + apiGroups: + - extensions + resources: + - daemonsets + - daemonsets/status + - deployments + - deployments/scale + - deployments/status + - ingresses + - ingresses/status + - networkpolicies + - replicasets + - replicasets/scale + - replicasets/status + - replicationcontrollers/scale + + + - verbs: + - get + - list + - watch + apiGroups: + - policy + resources: + - poddisruptionbudgets + - poddisruptionbudgets/status + + + - verbs: + - get + - list + - watch + apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingresses/status + - networkpolicies + + + - verbs: + - get + - list + - watch + apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles ``` \ No newline at end of file From 0b04b3d63acede56f409cb6f6c660367a44a07e8 Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Wed, 4 Jun 2025 10:45:05 +0200 Subject: [PATCH 6/7] Apply suggestions from code review Co-authored-by: Rowena Jones <36301604+RoRoJ@users.noreply.github.com> --- menu/navigation.json | 2 +- ...set-iam-permissions-and-implement-rbac.mdx | 22 +++++++++---------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/menu/navigation.json b/menu/navigation.json index 36df8b7f53..e6749c3769 100644 --- a/menu/navigation.json +++ b/menu/navigation.json @@ -2000,7 +2000,7 @@ "slug": "exposing-services" }, { - "label": "Setting IAM permissions and implement RBAC on a cluster", + "label": "Setting IAM permissions and implementing RBAC on a cluster", "slug": "set-iam-permissions-and-implement-rbac" }, { diff --git a/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx b/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx index ba01ee8abe..0f68f42568 100644 --- a/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx +++ b/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx @@ -1,9 +1,9 @@ --- meta: - title: Setting IAM permissions and implement RBAC on a cluster + title: Setting IAM permissions and implementing RBAC on a cluster description: This page explains how to set IAM permissions and implement RBAC on a Scaleway Kubernetes cluster content: - h1: Setting IAM permissions and implement RBAC on a cluster + h1: Setting IAM permissions and implementing RBAC on a cluster paragraph: This page explains how to set IAM permissions and implement RBAC on a Scaleway Kubernetes cluster tags: kubernetes kapsule-cluser dates: @@ -14,15 +14,15 @@ categories: --- Role-based access control (RBAC) is a native feature of Kubernetes and a method of regulating access to compute or network resources based on the roles of individual users within your Organization. -The feature is activated on Scaleway Kubernetes Kapsule and Kosmos by default and is compatible with Scaleway's IAM service. -IAM and RBAC work together by integrating Scaleway’s Identity and Access Management with Kubernetes' native RBAC system. This integration ensures that access permissions are consistent across both the cloud infrastructure and the Kubernetes cluster, providing a secure access control mechanism. +The feature is activated on Scaleway Kubernetes Kapsule and Kosmos by default and is compatible with Scaleway's Identity and Access Management (IAM) service. +IAM and RBAC work together by integrating Scaleway’s IAM with Kubernetes' native RBAC system. This integration ensures that access permissions are consistent across both the cloud infrastructure and the Kubernetes cluster, providing a secure access control mechanism. It allows you to assign roles to users, groups or `ServicesAccount` via `RoleBindings` and `ClusterRoleBindings`. Key components of RBAC in Kubernetes include: - **Roles and ClusterRoles:** - - `Roles`: These are specific to a namespace and define a set of permissions for resources within that namespace (e.g., pods, services). - - `ClusterRoles`: These are similar to roles but apply cluster-wide, spanning across all namespaces. + - `Roles`: These are specific to a namespace, and define a set of permissions for resources within that namespace (e.g., pods, services). + - `ClusterRoles`: These are similar to roles but apply cluster-wide, spanning all namespaces. - **RoleBindings and ClusterRoleBindings:** - `RoleBindings`: These associate a set of permissions defined in a role with a user, group, or service account within a specific namespace. - `ClusterRoleBindings`: These associate a set of permissions defined in a ClusterRole with a user, group, or service account across the entire cluster. @@ -77,7 +77,7 @@ Groups [scaleway:group:55eb7ac5-9afe-4e40-8d54-4fbb232cac21 scaleway:cluste - Note the group ID, as it will be needed later. 2. Create namespaces and roles: - As a user/app with `KubernetesFullAccess` or `KubernetesSystemMastersGroupAccess`, create the following manifests: + As a user or application with `KubernetesFullAccess` or `KubernetesSystemMastersGroupAccess`, create the following manifests: Namespace creation: @@ -128,7 +128,7 @@ Groups [scaleway:group:55eb7ac5-9afe-4e40-8d54-4fbb232cac21 scaleway:cluste Repeat the same operation for the staging namespace. -3. Apply the Manifests: +3. Apply the manifests: ```bash kubectl apply -f filename.yaml ``` @@ -137,9 +137,9 @@ After these steps, members of the IAM group will have read access to the cluster ## Assigning permissions to a specific user without using a group -1. Assign the `KubernetesReadOnly` Permission Set to the User. +1. Assign the `KubernetesReadOnly` Permission Set to the user. 2. Retrieve the **IAM user ID** and note it. -3. Create the following Manifests: +3. Create the following manifests: Namespace creation: @@ -191,7 +191,7 @@ After these steps, members of the IAM group will have read access to the cluster The user "demo" now has full rights in the `example-sandbox` namespace. -## Limiting cluster-read Access +## Limiting cluster-read access To modify the `scaleway:cluster-read` permissions, use the following command: From 4894aced24d840681a483bb553ad938b478735c0 Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Mon, 9 Jun 2025 16:20:43 +0200 Subject: [PATCH 7/7] Apply suggestions from code review Co-authored-by: Jessica <113192637+jcirinosclwy@users.noreply.github.com> --- .../set-iam-permissions-and-implement-rbac.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx b/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx index 0f68f42568..94ffb1aec8 100644 --- a/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx +++ b/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx @@ -29,7 +29,7 @@ Key components of RBAC in Kubernetes include: - **Subjects:** A subject in RBAC can be a user, a group, or a service account to which roles or cluster roles are bound. - **Rules:** Rules are sets of permissions associated with roles or cluster roles. They specify what actions are allowed or denied on specific resources. -RBAC works seamlessly with Scaleway's IAM (Identity and Access Maanagement) system. [Identity and Access Management (IAM)](/iam/concepts/#iam) provides control over resource access. IAM policies enable the configuration of permissions for Kubernetes Kapsule clusters at the Project level. +RBAC works seamlessly with Scaleway's IAM (Identity and Access Management) system. [Identity and Access Management (IAM)](/iam/concepts/#iam) provides control over resource access. IAM policies enable the configuration of permissions for Kubernetes Kapsule clusters at the Project level. An [IAM policy](/iam/concepts/#policy) defines the permissions for users, groups, and applications within an Organization. It consists of a [principal](/iam/concepts/#principal) (the user, group, or application to which it applies) and IAM rules that specify permission sets and their scope. @@ -40,7 +40,7 @@ The combination of IAM and Kubernetes RBAC allows you to define fine-grained acc The following IAM permission sets are mapped to Kubernetes groups: -| IAM Permission Set | Kubernetes Group | Notes | +| IAM permission set | Kubernetes group | Notes | |----------------------------------|-----------------------------|--------------------------| | `KubernetesFullAccess` | `scaleway:cluster-write` | | | | `scaleway:cluster-read` | | @@ -137,7 +137,7 @@ After these steps, members of the IAM group will have read access to the cluster ## Assigning permissions to a specific user without using a group -1. Assign the `KubernetesReadOnly` Permission Set to the user. +1. Assign the `KubernetesReadOnly` permission set to the user. 2. Retrieve the **IAM user ID** and note it. 3. Create the following manifests: