Add RBAC to the K8s dashboard
Use a simple global service to configure organization wide Kubernetes RBAC for end users
Overview
By default, the Plural Console embedded Kubernetes dashboard ships with closed permissions. You'll need to gradually add RBAC rules to users or groups as you want to carefully expand access throughout the system.
In addition, Plural's built-in Continuous Deployment engine allows you to ship these rules seamlessly to all clusters in your fleet, or to any subset of clusters. We'll show you how to set up a basic cluster-admin role for SRE personnel on your team, but the basics can be reworked for any other set of RBAC rules
Define an RBAC service
We'll make a simple folder of RBAC rules under services/rbac
in your repo. To start, let's define a rule for the sre
group like so, under services/rbac/sre.yaml
:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: sre-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: sre
This role references the sre
group in the Plural Console, which you can also configure to sync with your upstream identity provider or SSO. For the purposes of the walkthrough, you can also manually create that group by navigating to Settings > User Management > Groups or going to https://{you-console-instance}/settings/user-management/groups
Info:
Plural uses a Kubernetes concept called Impersonation to authenticate into an end cluster's API server with an identity that looks exactly like the current users' Plural Console identity. The primary benefit of this is it allows you to mirror your SSO straight into kubernetes itself, rather than deal with cloud-specific authorization complexity.
If you want to add other rules, say for a specific user, feel free to add them in that folder as well, eg you could add a rule services/rbac/michael.yaml
:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: sre-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: michael@example.com