Create End Users¶
After setting up your system administrators, use a Level1SystemAdmin
system administrator to configure ‘end users’.
In the following example, creating end users consists of:
Create a general end user kubernetes
ClusterRole
with restricted kubernetes capabilities.For one or more specific end user groups:
Create an LDAP group;
You can disable the SSH access for this LDAP group (i.e., restricting these end users to only use remote CLIs / APIs / GUIs);
Create a Kubernetes namespace for the group;
Bind the general end user kubernetes cluster role to the LDAP group for this kubernetes namespace,
Create one or more LDAP users in this LDAP group.
Prerequisites
You should already have created a system administrator.
You need to perform this procedure using the
Level1SystemAdmin
system administrator.
Procedure
Login to the active controller as a
Level1SystemAdmin
system administrator,joefulladmin
in this example.Use either a local console or SSH.
Use the
local_starlingxrc
to setup StarlingX environment variables and to setup your keystone user’s authentication credentials.$ source local_starlingxrc Enter the password to be used with keystone user joefulladmin: Created file /home/joefulladmin/joefulladmin-openrc
Use the
oidc-auth
to authenticate via OIDC/LDAP for kubernetes CLI.$ oidc-auth Using "joefulladmin" as username. Password: Successful authentication. Updated /home/joefulladmin/.kube/config.
Create a directory for temporary files for setting up users and groups.
$ mkdir /home/joefulladmin/users
Create a general end user kubernetes
ClusterRole
with restricted kubernetes authorization privileges.$ cat << EOF > /home/joefulladmin/users/GeneralEndUser-ClusterRole.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: GeneralEndUser rules: # For the core API group (""), allow full access to all resource types # EXCEPT for resource policies (limitranges and resourcequotas) only allow read access - apiGroups: [""] resources: ["bindings", "configmaps", "endpoints", "events", "persistentvolumeclaims", "pods", "podtemplates", "replicationcontrollers", "secrets", "serviceaccounts", "services"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: [ "limitranges", "resourcequotas" ] verbs: ["get", "list"] # Allow full access to all resource types of the following explicit list of apiGroups. # Notable exceptions here are: # ApiGroup ResourceTypes # ------- ------------- # policy podsecuritypolicies, poddisruptionbudgets # networking.k8s.io networkpolicies # admissionregistration.k8s.io mutatingwebhookconfigurations, validatingwebhookconfigurations # - apiGroups: ["apps", "batch", "extensions", "autoscaling", "apiextensions.k8s.io", "rbac.authorization.k8s.io"] resources: ["*"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # Cert Manager API access - apiGroups: ["cert-manager.io", "acme.cert-manager.io"] resources: ["*"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] EOF $ kubectl apply -f /home/joefulladmin/users/GeneralEndUser-ClusterRole.yml
For one or more specific end user groups, create an LDAP group, Kubernetes namespace and one or more LDAP users.
Create a new local LDAP group for the end user group.
$ sudo ldapaddgroup ABC-EndUsers
Optional step: Disallow this local LDAP group from using SSH.
Users of this LDAP group can only use the remote kubernetes API/CLI/GUI. Update the
/etc/security/group.conf
with LDAP group mappings.Note
If it is AIO-DX controller configuration, disallow this local LDAP group on both controllers.
$ sudo sed -i '$ a\\\*;\*;%ABC-EndUsers;Al0000-2400;denyssh' /etc/security/group.conf
Create a kubernetes namespace for the end user group.
$ kubectl create namespace abc-ns
Bind the
GeneralEndUser
role to this LDAP group for this kubernetes namespace.$ cat << EOF > /home/joefulladmin/users/ABC-EndUsers-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: ABC-EndUsers namespace: abc-ns subjects: - kind: Group name: ABC-EndUsers apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: GeneralEndUser apiGroup: rbac.authorization.k8s.io EOF $ kubectl apply -f /home/joefulladmin/users/ABC-EndUsers-rolebinding.yml
Create one or more LDAP users for the end user group.
$ sudo ldapusersetup -u steveenduser Password: Successfully added user steveenduser to LDAP Successfully set password for user steveenduser Warning : password is reset, user will be asked to change password at login Successfully modified user entry uid=steveenduser,ou=People,dc=cgcs,dc=local in LDAP Updating password expiry to 90 days Successfully modified user entry uid=steveenduser,ou=People,dc=cgcs,dc=local in LDAP Updating password expiry to 2 days $ sudo ldapaddusertogroup steveenduser ABC-EndUsers
Repeat the
Create one or more LDAP users for the end user group
step for the next user in this end user group.
Repeat the
For one or more specific end user groups, create an LDAP group, kubernetes namespace and one or more LDAP users
step for the next end user group.
Postrequisites
The end user created is able to, optionally, use SSH on the system to execute kubernetes CLI commands to manage the hosted containerized application and execute Linux commands. See section: End Users - Test Local Access using SSH or Kubernetes CLI.
Note
More setup is required for end user to use remote CLIs/GUIs, see section Remote Access.