Conductor Documentation

Configure Kubernetes Authentication for OAS

Introduction

In order to allow other users to create Operations at Scale resources using kubectl, the system administrator needs to use Kubernetes RBAC Authorization.

Prior to configuring the Kubernetes RBAC resources, the system administrator must set up the system and create users and groups with access to the the cluster. The procedure to set up the system and create users in a WRCP system can be found in WRCP’s documentation under User Management > Reference Material > LDAP Accounts > Kubernetes API User Authentication Using LDAP Server > Overview of LDAP Servers.

Grant Kubernetes permissions through direct role binding

The permission can be either namespace-based or cluster-based.

To configure a namespace-based authorization, create an yaml file containing the Role and the RoleBinding definition as follows:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: conductor-user-role
  namespace: conductor
  labels:
    app: conductor
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["wrcp.windriver.com"]
  resources: ["*"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: conductor-user-rolebinding
  namespace: conductor
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: conductor-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: conductor-user-role

To configure a cluster-based authentication, create an yaml file containing the ClusterRole and the ClusterRoleBinding definition:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: conductor-user-role
  labels:
    app: conductor
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["get", "watch", "list"]
  - apiGroups: ["wrcp.windriver.com"]
    resources: ["*"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: conductor-user-rolebinding
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: conductor-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: conductor-user-role

In the examples above, the user conductor-user is an account with access to the Kubernetes cluster created in your Windows Active Directory or LDAP server. The namespace conductor is the namespace used to install the WRC instance.

For both examples the user conductor-user will be able to read all resources and to create, modify and delete Operations at Scale resources and secrets.

To set up the permissions, apply the yaml file with kubectl apply -f <filename>.

Grant Kubernetes permissions through groups

To configure a namespace-based authorization, create an yaml file containing the Role and the RoleBinding definition as follows:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: conductor-user-role
  namespace: conductor
  labels:
    app: conductor
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["wrcp.windriver.com"]
  resources: ["*"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: conductor-user-rolebinding
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: conductor-users
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: conductor-user-role

Similarly, the cluster-based authentication can be configured using ClusterRole and the ClusterRoleBinding.

In the example above, the user conductor-users is a group with access to the kubernetes cluster created in your Windows Active Directory or LDAP server.

To give Kubernetes permissions to conductor-user, add this user in the conductor-users group in your Windows Active Directory or LDAP server.

To set up the permissions, apply the yaml file with kubectl apply -f <filename>.