Wednesday, January 2, 2019

Rancher Roles and Permissions


Inroduction
-----------

Hierarchy of cluster, projects and namespaces.



Permission Levels
-----------------

Global Permissions - Authorization for rancher (excluding individual managed k8
                     clusters).
Cluster and Project Roles - Authorization for specific k8 cluster

Adding Users
------------

Local Users:

User needs to be a member of a cluster first which is set by rancher admin.
Without doing that, even with correct password, login will fail with the
following message (seen in Rancher v2.1.1).


Global Permissions
------------------

Default global permissions:

1. Administrator - full control over the entire Rancher system and all clusters within it
2. Standard User - can create new clusters and use them; can also assign other
                   users permissions to their clusters

Default Assignments:

1. External - users are assigned "Standard User" by default
2. Local - global permissions are assigned during user creation

Projects and Namespaces
-----------------------

A project is a collection of namespaces. A resource quota on project level will
serve as the limit of all combined resource quota of all namespaces.

Permissions on project level will also apply on all namespaces within it. You
can override that by editing the namespace permission manually.

Project permissions
-------------------

Project permissions are applied realtime. User don't need to logout and login
for his/her permission to take effect - it is applied immediately.

A user can gain access even he was not added in cluster level - that is by
adding him on project level.

K8 vs Rancher Rolebindings
--------------------------

Created using rancher:

...
  labels:
    authz.cluster.cattle.io/rtb-owner: 25426a95-0291-11e9-b27e-005056b62395
    cattle.io/creator: norman
  name: clusterrolebinding-68fxg
...

Created by k8:

...
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"clusterrolebinding-f7ggc","namespace":"sata-dev"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"User","name":"user-f7ggc"}]}
  creationTimestamp: "2019-01-02T03:00:13Z"
...

No comments:

Post a Comment