Inroduction
-----------
Hierarchy of cluster,
projects and namespaces.
Permission Levels
-----------------
Global Permissions -
Authorization for rancher (excluding individual managed k8
clusters).
Cluster and Project
Roles - Authorization for specific k8 cluster
Adding Users
------------
Local Users:
User needs to be a
member of a cluster first which is set by rancher admin.
Without doing that,
even with correct password, login will fail with the
following message
(seen in Rancher v2.1.1).
Global Permissions
------------------
Default global
permissions:
1. Administrator -
full control over the entire Rancher system and all clusters within it
2. Standard User -
can create new clusters and use them; can also assign other
users permissions to their
clusters
Default Assignments:
1. External - users
are assigned "Standard User" by default
2. Local - global
permissions are assigned during user creation
Projects and Namespaces
-----------------------
A project is a
collection of namespaces. A resource quota on project level will
serve as the limit of
all combined resource quota of all namespaces.
Permissions on
project level will also apply on all namespaces within it. You
can override that by
editing the namespace permission manually.
Project permissions
-------------------
Project permissions
are applied realtime. User don't need to logout and login
for his/her
permission to take effect - it is applied immediately.
A user can gain
access even he was not added in cluster level - that is by
adding him on project
level.
K8 vs Rancher Rolebindings
--------------------------
Created using
rancher:
...
labels:
authz.cluster.cattle.io/rtb-owner:
25426a95-0291-11e9-b27e-005056b62395
cattle.io/creator: norman
name: clusterrolebinding-68fxg
...
Created by k8:
...
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"clusterrolebinding-f7ggc","namespace":"sata-dev"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"User","name":"user-f7ggc"}]}
creationTimestamp:
"2019-01-02T03:00:13Z"
...
No comments:
Post a Comment