To provide access to certain Kubernetes cluster namespaces to developers is a part of any DevOps Engineer job.
Basic initial requirements for creating Service Account accesses:
-
Create user(ServiceAccount) in one namespace - default
-
No default, kube-system etc. accesses to namespaces for users
-
The user must have access to the specified namespace with the possibility to view all Pods and their logs and without removal options
-
The user must have access to basic Kubernetes objects such as Ingress, Services, PVC
-
The user should be enabled to portforward, exec for Service and Pods
-
The opportunity to add (update) user's access to other namespaces
-
Automatically create a kubeconfig for the user
Due to the fact that RBAC is quite difficult to understand and the rights management system is too complicated, a simple bash script was written to implement the above-described needs.
The script must connect to Kubernetes with full rights:
/bin/bash ./scripts/k8s-add-user-multiple-namespace.sh john developer staging
where:
john - username - ServiceAccount
developer - developer role with access to namespace
staging - namespace to which we provide access to the developer john (the namespace must already be created in the Kubernetes cluster)
This script provides the opportunity to create 2 roles: developer
and deployer
. Deployer role provides access to the user for the purpose of deployment to the specified namespace.
User's Kubeconfig will be created and located in the directory ./kube-users
in the current script launch directory
The structure of the name of the created configuration file kubeconfig will be as follows: k8s-USERNAME-conf
This way, it is possible to transfer the file to the developer with his name for access to the Kubernetes cluster.
The command that allows to view all pods in namespace: staging
KUBECONFIG=k8s-john-conf kubectl get pods -n staging
And if to try getting all pods in all namespaces:
KUBECONFIG=k8s-john-conf kubectl get pods -A
then we'll get an error:
>$ Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:john" cannot list resource "pods" in API group "" at the cluster scope