Configuring Your Kubernetes Role-Based Access Control with Lens Spaces

Edward Ionel - March 7, 2022 - ,

Setting up a Kubernetes service has become relatively easy, whether it be on-premise or in public cloud services. However, securely sharing access to this cluster with colleagues is a daunting task. Giving access can be a painful process involving cluster certificates, access management systems, networking setup, and firewalls.

Administrators typically do not want to expose their Kubernetes clusters on a public network directly. Instead, to secure access with colleagues, they either stay on a private network or create VPN access for remote work—a set-up that is not only expensive but challenging to implement. When you work with multiple clusters in different clouds, it requires numerous VPNs, and giving developers access becomes a true headache.

With Lens Spaces, a feature within Lens – The Kubernetes Platform, Kubernetes users can easily share access to a cluster securely. Lens Spaces utilizes end-to-end encryption to secure connections between individual users and clusters, eliminating the need for a VPN. This provides a much more secure environment for giving access to a Kubernetes cluster. Through Lens Spaces, multiple team members can access a Kubernetes cluster securely with the correct permissions associated. (If you’d like to learn more about how this works, check out the Lens docs.)

In this blog, we will address role-based access control (RBAC) via Lens and how to configure your RBAC manifest via Lens. This way, cluster administrators can easily manage cluster access. We will create specific roles that will dictate how a colleague may interact with our Kubernetes cluster.

Prerequisites:

  1. Latest version of Lens
  2. Kubernetes cluster
  3. Lens Spaces account

Using Lens Spaces’ Built-In Teams for RBAC

To start, let’s talk about the default Kubernetes RBAC settings for users sharing secure access to their clusters via Lens Spaces. Each user connected to a cluster via Lens Spaces will get their permissions to a cluster via the Lens Spaces teams they belong to. Admins and owners of a space can easily change permissions using the Lens Spaces built-in teams: Members, Admins, and Owners.

  • MembersHave Read Access to all connected clusters in a space
  • AdminsHave Read & Write Access to all connected clusters in a space
  • OwnersHave Read & Write Access to all connected clusters in a space

To support these roles, all clusters connected to Lens Spaces are preconfigured with the following Cluster Roles and Cluster Role Bindings:

ClusterRole: lens-spaces-view

ClusterRole: lens-cluster-admin (Read & Write Access)

Rules for lens-cluster-admin ClusterRole

ClusterRoleBinding: lens-platform-read-teams

lens-platform-read-teams ClusterRoleBinding

ClusterRoleBindings: lens-platform-write-teams

Granular Configuration:

Although the default configuration may be useful to some, many cluster administrators need to adjust cluster access at a granular level. Admins and owners of a space can easily grant additional permissions by creating their own space “team”: for example, developers, operators, and L1 support.

Now, let’s imagine your space has a team called “Developers” and everyone within this team needs edit access to the default namespace. In order to do this, you will need to create an additional “Role-Binding.”

There are two ways to do this, and we will demonstrate both options.

The first (and more complex) option is writing and deploying the YAML code below to your cluster. Once deployed, everyone within the “Developers Team” will have edit access to the “default namespace.”

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: edit
  namespace: default
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: lens-spaces:Developers
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit

Now for the simpler option: using Lens’ features to create the role binding that you envision, without the need to write any YAML.

In Lens, navigate to “Access Control” and select “Cluster Role Bindings”.

Once you are in the “Role Bindings” section of Lens within Access Control, click the + Icon on the bottom right.

You should see the following screen, which allows you to configure your new RoleBindings.

Custom role binding creation screen

Now, it’s time to configure your RoleBindings via Lens. In this exercise, we are going to achieve the same outcome as the YAML code above.

Now you will need to input the values in the respected field.

Namespace = Default

Role Reference = Edit

Binding Name = Edit

Groups = Lens-Spaces:Developers (Press Enter to confirm the group)

Now you can click “Create” and your new RoleBinding will be created.

Closer view of role binding creation screen

So what exactly did we do? With this change, anyone within the “Developers” team in your Space will have Read & Write Access to all resources within the “Default” namespace. Now, developers will be able to easily review and access all logs within the “Default” namespace, for example.

Summary:

In this blog, we covered the challenges that cluster administrators may face when sharing access to their cluster with colleagues and how to overcome these challenges and provided in-depth examples of how you can leverage Lens Spaces to configure granular access control to a specific namespace within your cluster. With the changes we made, users can now view all resources within the default namespace.

About Lens:

Lens is the way the world runs Kubernetes. It’s lowering the barrier of entry for people just getting started and radically improving productivity for people with more experience. Users of Lens gain clarity on how their clusters and cloud native software stacks work. It helps people to put things in perspective and to make sense of it all. Thousands of businesses and hundreds of thousands of Kubernetes users develop and operate their Kubernetes on Lens. The Lens open source project is backed by a number of Kubernetes and cloud-native ecosystem pioneers. With a community of over 450,000 Kubernetes users and 17k stars on GitHub, Lens is the largest and most advanced Kubernetes platform in the world. Download Lens at https://k8slens.dev.

banner-img
From Virtualization to Containerization
Learn how to move from monolithic to microservices in this free eBook
Download Now
Radio Cloud Native – Week of May 11th, 2022

Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news. This week they discussed: Docker Extensions Artificial Intelligence shows signs that it's reaching the common person Google Cloud TPU VMs reach general availability Google buys MobileX, folds into Google Cloud NIST changes Palantir is back, and it's got a Blanket Purchase Agreement at the Department of Health and Human …

Radio Cloud Native – Week of May 11th, 2022
Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!

In the last several weeks we have released two updates to Mirantis Container Cloud - versions 2.16 and 2.17, which bring a number of important changes and enhancements. These are focused on both keeping key components up to date to provide the latest functionality and security fixes, and also delivering new functionalities for our customers to take advantage of in …

Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!
Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]

Cloud environments & Kubernetes are becoming more and more expensive to operate and manage. In this demo-rich workshop, Mirantis and Kubecost demonstrate how to deploy Kubecost as a Helm chart on top of Mirantis Kubernetes Engine. Lens users will be able to visualize their Kubernetes spend directly in the Lens desktop application, allowing users to view spend and costs efficiently …

Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]
FREE EBOOK!
Service Mesh for Mere Mortals
A Guide to Istio and How to Use Service Mesh Platforms
DOWNLOAD
Technical training
Learn Kubernetes & OpenStack from Deployment Experts
Prep for certification!
View schedule
Mirantis Webstore
Purchase Kubernetes support
SHOP NOW