Access management
Cloud Containers clusters version 1.23 and higher are tightly integrated with the VK Cloud platform:
-
Single Sign-On (SSO) technology is used.
The user authenticates in the Kubernetes cluster with the same credentials as when logging into the VK Cloud personal account.
SSO functionality cannot be disabled.
-
The user's roles in the personal account affect:
-
Available actions in the cluster.
A user with a specific personal account role is assigned an appropriate Kubernetes role. The Kubernetes role defines which cluster objects are available to the user and what actions are allowed to be performed on these objects.
-
The Kubernetes superadministrator and administrator manage cluster access by assigning roles to users in a personal account.
There is no need to configure user rights separately for personal accounts and for Kubernetes clusters. For example, disabling a user account or revoking a role in a personal account results in revoking the access rights to Kubernetes clusters.
When using kubectl, the keystone-auth utility is responsible for authentication.
The cluster configuration file is used for the operation of kubectl (kubeconfig). This file contains all the user's details, except for the password (it is not specified for security reasons). Therefore, when using kubectl, the keystone-auth utility will require you to enter the user's password interactively in order to authenticate:
Please enter password:
After successful authentication, a token with a short lifetime is issued, which gives temporary access to the cluster. When the token expires, keystone-auth will require you to enter the password again in order to update the token. This will happen both when working with kubectl and with other tools that work with such tokens — for example, kauthproxy uses them for authentication in the web interfaces of cluster components and addons.
This authentication process is inconvenient when working with automated tools that need access to the cluster. To provide access to the cluster for such tools, create a kubeconfig file for the service account. This kubeconfig contains the details of the service account and the corresponding token with an infinite lifetime, which allows you to authenticate without entering a password.
Project Administrator
Super Administrator
Kubernetes Administrator
Kubernetes role: view.
The role provides read access to most objects in the namespace.
The role does not provide:
-
Ability to view or change roles and role bindings.
-
Access to secrets.
A user with access to secrets can access the credentials of any service account in the namespace. This will allow access to the API on behalf of any service account in the namespace. For the read-only role, this will be considered as privilege escalation.
To view a list of available resources for a role, connect to the cluster and run the command:
kubectl describe clusterrole <role in Kubernetes Cloud Containers>