From 80c984af2674a9facfbd1681aa09a7b860ef0b94 Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Wed, 3 Jan 2024 12:01:12 +0100 Subject: [PATCH 01/23] docs(k8s): kubeconfig with iam --- .../how-to/manage-kubeconfig-with-iam.mdx | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx diff --git a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx new file mode 100644 index 0000000000..7a463f829b --- /dev/null +++ b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx @@ -0,0 +1,42 @@ +--- +meta: + title: How to manage Kubeconfig files with IAM + description: This page explains how to manage Kubeconfig files with IAM +content: + h1: How to manage Kubeconfig files with IAM + paragraph: This page explains how to manage Kubeconfig files with IAM +tags: kubernetes kapsule-cluser +dates: + validation: 2024-01-03 + posted: 2024-01-03 +categories: + - kubernetes +--- + + +A Kubeconfig file stores the necessary credentials for accessing a Kubernetes cluster and deployment management. It includes essential information such as cluster details, authentication data, and context information, providing users with the means to oversee and manipulate their Kubernetes clusters. + +Kubeconfig files are generated using IAM now. This allows you to generate more granulated access allowing you to: +When one of their technical staff quits, customers must reset their "admin" token to avoid having a security leak. This operation requires a reboot of the API server which could take several minutes. Then, all other staff are forced to re-download the Kubeconfig file for continued access.. That's neither convenient nor scalable management for our target audience. +Since all users share the same "cluster-admin" token, Audit Logs are anonymous as of now. This isn't sufficient for our current/upcoming enterprise customers. +Applications running inside the cluster aren't authenticated using specific tokens (feature request). This is useful for when a pod needs to interact with the Kubernetes API, as it can authenticate using its associated Service Account. + + + + Entering a deprecation cycle, the former authentication system (using static admin tokens) remains active: all your legacy Kubeconfig files keep access to their clusters for the time being. For security measure you can still make use of the « reset admin token » feature, either through our Kubernetes API or Scaleway’s CLI. + We recommend users to download new unique, identifiable Kubeconfig files with IAM tokens inside. + + + + + + - You have an account and are logged into the [Scaleway console](https://console.scaleway.com) + - You have [created](/containers/kubernetes/how-to/create-cluster) a Kubernetes Kapsule cluster + + +1. Click **Kubernetes** in the **Containers** section of the [Scaleway console](https://console.scaleway.com) side menu. The Kubernetes Kapsule overview displays. +2. Click the name of the cluster you want to access. The cluster overview page displays. Click on the name of the cluster you want to manage. +3. Scroll down to the **Download kubeconfig with IAM** section of the page. +4. Click **Download kubeconfig** +5. Select the API key bearer, enter a description and set the expiration date for the kubeconfig file, then click **Generate kubeconfig**. +6. Download the kubeconfig file and export the path to start using it with `kubectl`. From d98aedd06628d9c66381ef697b77f37516b9e51e Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Thu, 4 Jan 2024 10:21:49 +0100 Subject: [PATCH 02/23] docs(k8s): rbac --- ...set-iam-premissions-and-implement-rbac.mdx | 40 ++++++ .../kubernetes-iam-bindings.mdx | 122 ++++++++++++++++++ 2 files changed, 162 insertions(+) create mode 100644 containers/kubernetes/how-to/set-iam-premissions-and-implement-rbac.mdx create mode 100644 containers/kubernetes/reference-content/kubernetes-iam-bindings.mdx diff --git a/containers/kubernetes/how-to/set-iam-premissions-and-implement-rbac.mdx b/containers/kubernetes/how-to/set-iam-premissions-and-implement-rbac.mdx new file mode 100644 index 0000000000..0e3127647c --- /dev/null +++ b/containers/kubernetes/how-to/set-iam-premissions-and-implement-rbac.mdx @@ -0,0 +1,40 @@ +--- +meta: + title: How to set IAM permissions and implement RBAC on a cluster + description: This page explains how to set IAM permissions and implement RBAC on a cluster +content: + h1: How to set IAM permissions and implement RBAC on a cluster + paragraph: This page explains how to set IAM permissions and implement RBAC on a cluster +tags: kubernetes kapsule-cluser +dates: + validation: 2024-01-03 + posted: 2024-01-03 +categories: + - kubernetes +--- + +Role-based access control (RBAC) is a ntive feature of Kubernetes and a method of regulating access to computer or network resources based on the roles of individual users within your Organization. +The feature is activated on Scaleway Kubernetes Kapsule and Kosmos by default and allows you to assign roles to users, groups or ServicesAccount via RoleBindings and ClusterRoleBindings. + + +The system is based on apiserver's Webhook Token Authentication. When the apiserver receives a request, it calls the webhook via an "apiVersion" resource: "authentication.k8s.io/v1", "kind": "TokenReview" and a component must validate the token sent. + +If the user has the `KubernetesFullAccess` permission (`kubernetes:cluster:write`) on the project, then the response assigns the user `kubernetes-admin` and the group `system:master`, as in the case of the kubeconfig static token. +Otherwise, it is simply denied. + +Key components of RBAC in Kubernetes include: + +1. **Roles and ClusterRoles:** + - **Roles:** These are specific to a namespace and define a set of permissions for resources within that namespace (e.g., pods, services). + - **ClusterRoles:** These are similar to roles but apply cluster-wide, spanning across all namespaces. + +2. **RoleBindings and ClusterRoleBindings:** + - **RoleBindings:** These associate a set of permissions defined in a Role with a user, group, or service account within a specific namespace. + - **ClusterRoleBindings:** These associate a set of permissions defined in a ClusterRole with a user, group, or service account across the entire cluster. + +3. **Subjects:** + - A subject in RBAC can be a user, a group, or a service account to which roles or cluster roles are bound. + +4. **Rules:** + - Rules are sets of permissions associated with roles or cluster roles. They specify what actions are allowed or denied on specific resources. + diff --git a/containers/kubernetes/reference-content/kubernetes-iam-bindings.mdx b/containers/kubernetes/reference-content/kubernetes-iam-bindings.mdx new file mode 100644 index 0000000000..fa909b92f1 --- /dev/null +++ b/containers/kubernetes/reference-content/kubernetes-iam-bindings.mdx @@ -0,0 +1,122 @@ +--- +meta: + title: Kubernetes IAM bindings + description: This page provides information about the different control plane offers available for Scaleway Kubernetes Kapsule and Kosmos +content: + h1: Kubernetes IAM bindings + paragraph: This page provides information about the different control plane offers available for Scaleway Kubernetes Kapsule and Kosmos +tags: kubernetes control plane control-plane offers dedicated mutualized +dates: + validation: 2023-09-26 + posted: 2023-09-26 +categories: + - kubernetes +--- + +## Situations + +## User has AllProductFullAccess + + + + * `secret_key`: `ae2d4faf-2402-422b-890a-1ce29a45c101` + + * GetAuthContext + * `bearer_id`: `773989c0-607c-4bb8-a5b8-867581b4e8d2 + * `auth_id`: `f1d92007-5825-46f4-8843-8438197a2825`` + + * GetPermissions + * `{ service_name: kubernetes, name: cluster, action: [ read ] }` **GRANTED** + * `{ service_name: kubernetes, name: cluster, action: [ write ] }` **DENIED** + * `{ service_name: kubernetes, name: group_system_masters , action: [ access ] }` **DENIED** + + + ```yaml + { + "apiVersion": "authentication.k8s.io/v1", + "kind": "TokenReview", + "status": { + "authenticated": true, + "user": { + "username": "scaleway:bearer:773989c0-607c-4bb8-a5b8-867581b4e8d2", + "uid": "773989c0-607c-4bb8-a5b8-867581b4e8d2", + "groups": [ + "scaleway:groups:????????", + "scaleway:groups:!!!!!!!!", + ], + }, + } + } + ``` + + + + +Role+Bindings example for Users & Groups + +Example giving all access to a namespace  example-namespace to Group scaleway:groups:3972be4a-43d9-43da-9a55-195f1de9b770:Devops : + +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: devops-example-namespace-full-access + namespace: example-namespace +rules: +- apiGroups: [""] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["extensions"] + resources: ["*"] + verbs: ["*"] + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: devops-rolebinding + namespace: example-namespace +subjects: +- kind: Group + name: scaleway:groups:3972be4a-43d9-43da-9a55-195f1de9b770:Devops + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: devops-example-namespace-full-access + apiGroup: rbac.authorization.k8s.io + + + +Example giving read access to a namespace  example-namespace to User scaleway:bearer:773989c0-607c-4bb8-a5b8-867581b4e8d2 : + +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: toto-read + namespace: example-namespace +rules: +- apiGroups: [""] + resources: ["*"] + verbs: ["list", "get"] +- apiGroups: ["extensions"] + resources: ["*"] + verbs: ["list","get"] + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: toto-rolebinding + namespace: example-namespace +subjects: +- kind: User + name: scaleway:bearer:773989c0-607c-4bb8-a5b8-867581b4e8d2 + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: toto-read + apiGroup: rbac.authorization.k8s.io + + \ No newline at end of file From 770d463ab7e8871e4044beb008d88a0081160f24 Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Thu, 4 Jan 2024 11:09:22 +0100 Subject: [PATCH 03/23] docs(k8s): iam --- .../how-to/manage-kubeconfig-with-iam.mdx | 2 + ...set-iam-premissions-and-implement-rbac.mdx | 41 ++++++++++++------- 2 files changed, 29 insertions(+), 14 deletions(-) diff --git a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx index 7a463f829b..f6e6d87b7f 100644 --- a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx +++ b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx @@ -40,3 +40,5 @@ Applications running inside the cluster aren't authenticated using specific toke 4. Click **Download kubeconfig** 5. Select the API key bearer, enter a description and set the expiration date for the kubeconfig file, then click **Generate kubeconfig**. 6. Download the kubeconfig file and export the path to start using it with `kubectl`. + +You can now manage your cluster using `kubectl`. For more information about this tool, refer to the [official kubectl documentation](https://kubernetes.io/docs/reference/kubectl/). \ No newline at end of file diff --git a/containers/kubernetes/how-to/set-iam-premissions-and-implement-rbac.mdx b/containers/kubernetes/how-to/set-iam-premissions-and-implement-rbac.mdx index 0e3127647c..43b603ea5a 100644 --- a/containers/kubernetes/how-to/set-iam-premissions-and-implement-rbac.mdx +++ b/containers/kubernetes/how-to/set-iam-premissions-and-implement-rbac.mdx @@ -14,27 +14,40 @@ categories: --- Role-based access control (RBAC) is a ntive feature of Kubernetes and a method of regulating access to computer or network resources based on the roles of individual users within your Organization. -The feature is activated on Scaleway Kubernetes Kapsule and Kosmos by default and allows you to assign roles to users, groups or ServicesAccount via RoleBindings and ClusterRoleBindings. - - -The system is based on apiserver's Webhook Token Authentication. When the apiserver receives a request, it calls the webhook via an "apiVersion" resource: "authentication.k8s.io/v1", "kind": "TokenReview" and a component must validate the token sent. - -If the user has the `KubernetesFullAccess` permission (`kubernetes:cluster:write`) on the project, then the response assigns the user `kubernetes-admin` and the group `system:master`, as in the case of the kubeconfig static token. -Otherwise, it is simply denied. +The feature is activated on Scaleway Kubernetes Kapsule and Kosmos by default and is compatible with Scaleway's IAM service. +IAM and RBAC work together by integrating the cloud provider's identity and access management with Kubernetes' native RBAC system. This integration ensures that access permissions are consistent across both the cloud infrastructure and the Kubernetes cluster, providing a secure access control mechanism. +It allows you to assign roles to users, groups or `ServicesAccount` via `RoleBindings` and `ClusterRoleBindings`. Key components of RBAC in Kubernetes include: -1. **Roles and ClusterRoles:** +- **Roles and ClusterRoles:** - **Roles:** These are specific to a namespace and define a set of permissions for resources within that namespace (e.g., pods, services). - **ClusterRoles:** These are similar to roles but apply cluster-wide, spanning across all namespaces. - -2. **RoleBindings and ClusterRoleBindings:** +- **RoleBindings and ClusterRoleBindings:** - **RoleBindings:** These associate a set of permissions defined in a Role with a user, group, or service account within a specific namespace. - **ClusterRoleBindings:** These associate a set of permissions defined in a ClusterRole with a user, group, or service account across the entire cluster. - -3. **Subjects:** +- **Subjects:** - A subject in RBAC can be a user, a group, or a service account to which roles or cluster roles are bound. - -4. **Rules:** +- **Rules:** - Rules are sets of permissions associated with roles or cluster roles. They specify what actions are allowed or denied on specific resources. +## Built-in IAM Permissions + +### KubernetesSystemMastersGroupAccess + +The `KubernetesSystemMastersGroupAccess` permission grants users the ability to manage and modify user groups within the Kubernetes system. Users with this permission can create, update, and delete user groups, which are essential for organizing and controlling access within the cluster. + +### KubernetesFullAccess + +The `KubernetesFullAccess` permission provides access rights to users within the Kubernetes system. It includes permissions for managing namespaces, pods, services, deployments, and other critical resources. Users with `KubernetesFullAccess` have the capability to perform various administrative tasks across the entire cluster. + +## Cluster role "scaleway:cluster-write" + +The `scaleway:cluster-write` cluster role is a custom role that grants users write access to certain cluster-level resources. It is essential to understand the specific permissions associated with this role to ensure users can perform necessary operations without granting unnecessary privileges. +To view the details of this cluster role, use the following command: + +```bash +kubectl get clusterrole scaleway:cluster-write -o yaml +``` + +Review the permissions listed in the YAML output to understand the scope of actions allowed by this role. From f42d42d9e05921f1ef25e4c9f30354a7d539f66d Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Tue, 9 Jan 2024 16:17:04 +0100 Subject: [PATCH 04/23] feat(k8s): iam and rbac --- .../how-to/connect-cluster-kubectl.mdx | 9 +- .../kubernetes/how-to/edit-kosmos-cluster.mdx | 7 + .../how-to/manage-kubeconfig-with-iam.mdx | 45 ++++- ...set-iam-premissions-and-implement-rbac.mdx | 53 ------ .../kubernetes-iam-bindings.mdx | 122 ------------- ...set-iam-permissions-and-implement-rbac.mdx | 169 ++++++++++++++++++ menu/navigation.json | 8 + 7 files changed, 228 insertions(+), 185 deletions(-) delete mode 100644 containers/kubernetes/how-to/set-iam-premissions-and-implement-rbac.mdx delete mode 100644 containers/kubernetes/reference-content/kubernetes-iam-bindings.mdx create mode 100644 containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx diff --git a/containers/kubernetes/how-to/connect-cluster-kubectl.mdx b/containers/kubernetes/how-to/connect-cluster-kubectl.mdx index 8c0ed86a4c..cc7634827d 100644 --- a/containers/kubernetes/how-to/connect-cluster-kubectl.mdx +++ b/containers/kubernetes/how-to/connect-cluster-kubectl.mdx @@ -42,4 +42,11 @@ Once your [cluster is created](/containers/kubernetes/how-to/create-cluster/), a kubectl get nodes ``` - +<<<<<<< HEAD + +======= + + How to manage Kubeconfig files with IAM + How to deploy an image from Container Registry + +>>>>>>> 17c4e486d (feat(k8s): iam and rbac) diff --git a/containers/kubernetes/how-to/edit-kosmos-cluster.mdx b/containers/kubernetes/how-to/edit-kosmos-cluster.mdx index bd40254dc9..acfee21145 100644 --- a/containers/kubernetes/how-to/edit-kosmos-cluster.mdx +++ b/containers/kubernetes/how-to/edit-kosmos-cluster.mdx @@ -112,3 +112,10 @@ The Kubernetes version of the existing nodes in your multi-cloud pool can be upg 4. Detach the older node in Scaleway API. +<<<<<<< HEAD +======= + + How to create a Kosmos cluster + How to manage Kubeconfig files with IAM + +>>>>>>> 17c4e486d (feat(k8s): iam and rbac) diff --git a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx index f6e6d87b7f..c3b83a8396 100644 --- a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx +++ b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx @@ -7,23 +7,35 @@ content: paragraph: This page explains how to manage Kubeconfig files with IAM tags: kubernetes kapsule-cluser dates: - validation: 2024-01-03 - posted: 2024-01-03 + validation: 2024-01-09 + posted: 2024-01-09 categories: - kubernetes --- -A Kubeconfig file stores the necessary credentials for accessing a Kubernetes cluster and deployment management. It includes essential information such as cluster details, authentication data, and context information, providing users with the means to oversee and manipulate their Kubernetes clusters. +A Kubeconfig file serves as a repository for essential credentials required to access a Kubernetes cluster and manage deployments. +This file contains critical information, including cluster details, authentication data, and context information, allowing users to oversee and configure their Kubernetes clusters effectively. -Kubeconfig files are generated using IAM now. This allows you to generate more granulated access allowing you to: -When one of their technical staff quits, customers must reset their "admin" token to avoid having a security leak. This operation requires a reboot of the API server which could take several minutes. Then, all other staff are forced to re-download the Kubeconfig file for continued access.. That's neither convenient nor scalable management for our target audience. -Since all users share the same "cluster-admin" token, Audit Logs are anonymous as of now. This isn't sufficient for our current/upcoming enterprise customers. -Applications running inside the cluster aren't authenticated using specific tokens (feature request). This is useful for when a pod needs to interact with the Kubernetes API, as it can authenticate using its associated Service Account. +Scaleway's Identity and Access Management (IAM) is now being used to generate Kubeconfig files. This integration offers several advantages: +- **Improved user administration:** + - When removing a cluster user, there is no longer a need to reset the admin token, mitigating security risks. +- **Increased Cluster Security:** + - Each user possesses a unique credential, enhancing security. + - Audit logs facilitate the identification of specific Kubernetes users. +- **Enhanced Application Security:** + - Applications within the cluster are authenticated using specific tokens. + - This authentication method is particularly useful when a pod needs to interact with the Kubernetes API, as it can authenticate using its associated Service Account. + +[Identity and Access Management (IAM)](https://www.scaleway.com/en/docs/identity-and-access-management/iam/concepts/#iam) provides control over resource access. IAM policies enable the configuration of permissions for Kubernetes Kapsule clusters at the Project level. + +An [IAM policy](https://www.scaleway.com/en/docs/identity-and-access-management/iam/concepts/#policy) defines the permissions for users, groups, and applications within an Organization. It consists of a [principal](https://www.scaleway.com/en/docs/identity-and-access-management/iam/concepts/#principal) (the user, group, or application to which it applies) and IAM rules that specify permission sets and their scope. + +The [combination of IAM and Kubernetes RBAC](http://localhost:8003/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) allows to define finely granulated access levels for cluster users. - Entering a deprecation cycle, the former authentication system (using static admin tokens) remains active: all your legacy Kubeconfig files keep access to their clusters for the time being. For security measure you can still make use of the « reset admin token » feature, either through our Kubernetes API or Scaleway’s CLI. + Entering a deprecation cycle, the former authentication system (using static admin tokens) remains active until Q4/2024: all your legacy Kubeconfig files keep access to their clusters for the time being. For security measure you can still make use of the "reset admin token" feature !!!ADD LINK HERE!!!, either through our Kubernetes API or Scaleway’s CLI. We recommend users to download new unique, identifiable Kubeconfig files with IAM tokens inside. @@ -34,6 +46,16 @@ Applications running inside the cluster aren't authenticated using specific toke - You have [created](/containers/kubernetes/how-to/create-cluster) a Kubernetes Kapsule cluster +## Setting up access + +1. [Create a group](/identity-and-access-management/iam/how-to/create-group/) named `k8s-group` that contains the user and the application, so they are the only ones to have access to Object Storage. +2. [Create an IAM policy](/identity-and-access-management/iam/how-to/create-policy/) named `k8s-policy` in the Scaleway console, with the previously created group as a [principal](/identity-and-access-management/iam/concepts/#principal). Apply the corresponding IAM policy to the group. For example `KubernetesFullAccess`. + + Refer to [Setting IAM permissions and implement RBAC on a cluster](/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) for a detailed overview about the available IAM permissions and how to fine-tune them using Kubernetes RBAC. + + +## Downloading the Kubeconfig file + 1. Click **Kubernetes** in the **Containers** section of the [Scaleway console](https://console.scaleway.com) side menu. The Kubernetes Kapsule overview displays. 2. Click the name of the cluster you want to access. The cluster overview page displays. Click on the name of the cluster you want to manage. 3. Scroll down to the **Download kubeconfig with IAM** section of the page. @@ -41,4 +63,9 @@ Applications running inside the cluster aren't authenticated using specific toke 5. Select the API key bearer, enter a description and set the expiration date for the kubeconfig file, then click **Generate kubeconfig**. 6. Download the kubeconfig file and export the path to start using it with `kubectl`. -You can now manage your cluster using `kubectl`. For more information about this tool, refer to the [official kubectl documentation](https://kubernetes.io/docs/reference/kubectl/). \ No newline at end of file +You can now manage your cluster using `kubectl`. For more information about this tool, refer to the [official kubectl documentation](https://kubernetes.io/docs/reference/kubectl/). + + + How to manage a Kosmos cluster + How to connect to a cluster with kubectl + diff --git a/containers/kubernetes/how-to/set-iam-premissions-and-implement-rbac.mdx b/containers/kubernetes/how-to/set-iam-premissions-and-implement-rbac.mdx deleted file mode 100644 index 43b603ea5a..0000000000 --- a/containers/kubernetes/how-to/set-iam-premissions-and-implement-rbac.mdx +++ /dev/null @@ -1,53 +0,0 @@ ---- -meta: - title: How to set IAM permissions and implement RBAC on a cluster - description: This page explains how to set IAM permissions and implement RBAC on a cluster -content: - h1: How to set IAM permissions and implement RBAC on a cluster - paragraph: This page explains how to set IAM permissions and implement RBAC on a cluster -tags: kubernetes kapsule-cluser -dates: - validation: 2024-01-03 - posted: 2024-01-03 -categories: - - kubernetes ---- - -Role-based access control (RBAC) is a ntive feature of Kubernetes and a method of regulating access to computer or network resources based on the roles of individual users within your Organization. -The feature is activated on Scaleway Kubernetes Kapsule and Kosmos by default and is compatible with Scaleway's IAM service. -IAM and RBAC work together by integrating the cloud provider's identity and access management with Kubernetes' native RBAC system. This integration ensures that access permissions are consistent across both the cloud infrastructure and the Kubernetes cluster, providing a secure access control mechanism. -It allows you to assign roles to users, groups or `ServicesAccount` via `RoleBindings` and `ClusterRoleBindings`. - -Key components of RBAC in Kubernetes include: - -- **Roles and ClusterRoles:** - - **Roles:** These are specific to a namespace and define a set of permissions for resources within that namespace (e.g., pods, services). - - **ClusterRoles:** These are similar to roles but apply cluster-wide, spanning across all namespaces. -- **RoleBindings and ClusterRoleBindings:** - - **RoleBindings:** These associate a set of permissions defined in a Role with a user, group, or service account within a specific namespace. - - **ClusterRoleBindings:** These associate a set of permissions defined in a ClusterRole with a user, group, or service account across the entire cluster. -- **Subjects:** - - A subject in RBAC can be a user, a group, or a service account to which roles or cluster roles are bound. -- **Rules:** - - Rules are sets of permissions associated with roles or cluster roles. They specify what actions are allowed or denied on specific resources. - -## Built-in IAM Permissions - -### KubernetesSystemMastersGroupAccess - -The `KubernetesSystemMastersGroupAccess` permission grants users the ability to manage and modify user groups within the Kubernetes system. Users with this permission can create, update, and delete user groups, which are essential for organizing and controlling access within the cluster. - -### KubernetesFullAccess - -The `KubernetesFullAccess` permission provides access rights to users within the Kubernetes system. It includes permissions for managing namespaces, pods, services, deployments, and other critical resources. Users with `KubernetesFullAccess` have the capability to perform various administrative tasks across the entire cluster. - -## Cluster role "scaleway:cluster-write" - -The `scaleway:cluster-write` cluster role is a custom role that grants users write access to certain cluster-level resources. It is essential to understand the specific permissions associated with this role to ensure users can perform necessary operations without granting unnecessary privileges. -To view the details of this cluster role, use the following command: - -```bash -kubectl get clusterrole scaleway:cluster-write -o yaml -``` - -Review the permissions listed in the YAML output to understand the scope of actions allowed by this role. diff --git a/containers/kubernetes/reference-content/kubernetes-iam-bindings.mdx b/containers/kubernetes/reference-content/kubernetes-iam-bindings.mdx deleted file mode 100644 index fa909b92f1..0000000000 --- a/containers/kubernetes/reference-content/kubernetes-iam-bindings.mdx +++ /dev/null @@ -1,122 +0,0 @@ ---- -meta: - title: Kubernetes IAM bindings - description: This page provides information about the different control plane offers available for Scaleway Kubernetes Kapsule and Kosmos -content: - h1: Kubernetes IAM bindings - paragraph: This page provides information about the different control plane offers available for Scaleway Kubernetes Kapsule and Kosmos -tags: kubernetes control plane control-plane offers dedicated mutualized -dates: - validation: 2023-09-26 - posted: 2023-09-26 -categories: - - kubernetes ---- - -## Situations - -## User has AllProductFullAccess - - - - * `secret_key`: `ae2d4faf-2402-422b-890a-1ce29a45c101` - - * GetAuthContext - * `bearer_id`: `773989c0-607c-4bb8-a5b8-867581b4e8d2 - * `auth_id`: `f1d92007-5825-46f4-8843-8438197a2825`` - - * GetPermissions - * `{ service_name: kubernetes, name: cluster, action: [ read ] }` **GRANTED** - * `{ service_name: kubernetes, name: cluster, action: [ write ] }` **DENIED** - * `{ service_name: kubernetes, name: group_system_masters , action: [ access ] }` **DENIED** - - - ```yaml - { - "apiVersion": "authentication.k8s.io/v1", - "kind": "TokenReview", - "status": { - "authenticated": true, - "user": { - "username": "scaleway:bearer:773989c0-607c-4bb8-a5b8-867581b4e8d2", - "uid": "773989c0-607c-4bb8-a5b8-867581b4e8d2", - "groups": [ - "scaleway:groups:????????", - "scaleway:groups:!!!!!!!!", - ], - }, - } - } - ``` - - - - -Role+Bindings example for Users & Groups - -Example giving all access to a namespace  example-namespace to Group scaleway:groups:3972be4a-43d9-43da-9a55-195f1de9b770:Devops : - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: devops-example-namespace-full-access - namespace: example-namespace -rules: -- apiGroups: [""] - resources: ["*"] - verbs: ["*"] -- apiGroups: ["extensions"] - resources: ["*"] - verbs: ["*"] - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: devops-rolebinding - namespace: example-namespace -subjects: -- kind: Group - name: scaleway:groups:3972be4a-43d9-43da-9a55-195f1de9b770:Devops - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: devops-example-namespace-full-access - apiGroup: rbac.authorization.k8s.io - - - -Example giving read access to a namespace  example-namespace to User scaleway:bearer:773989c0-607c-4bb8-a5b8-867581b4e8d2 : - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: toto-read - namespace: example-namespace -rules: -- apiGroups: [""] - resources: ["*"] - verbs: ["list", "get"] -- apiGroups: ["extensions"] - resources: ["*"] - verbs: ["list","get"] - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: toto-rolebinding - namespace: example-namespace -subjects: -- kind: User - name: scaleway:bearer:773989c0-607c-4bb8-a5b8-867581b4e8d2 - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: toto-read - apiGroup: rbac.authorization.k8s.io - - \ No newline at end of file diff --git a/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx b/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx new file mode 100644 index 0000000000..c48d4504db --- /dev/null +++ b/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx @@ -0,0 +1,169 @@ +--- +meta: + title: Setting IAM permissions and implement RBAC on a cluster + description: This page explains how to set IAM permissions and implement RBAC on a cluster +content: + h1: Setting IAM permissions and implement RBAC on a cluster + paragraph: This page explains how to set IAM permissions and implement RBAC on a cluster +tags: kubernetes kapsule-cluser +dates: + validation: 2024-01-09 + posted: 2024-01-09 +categories: + - kubernetes +--- + +Role-based access control (RBAC) is a native feature of Kubernetes and a method of regulating access to computer or network resources based on the roles of individual users within your Organization. +The feature is activated on Scaleway Kubernetes Kapsule and Kosmos by default and is compatible with Scaleway's IAM service. +IAM and RBAC work together by integrating Scaleway’s identity and access management with Kubernetes' native RBAC system. This integration ensures that access permissions are consistent across both the cloud infrastructure and the Kubernetes cluster, providing a secure access control mechanism. +It allows you to assign roles to users, groups or `ServicesAccount` via `RoleBindings` and `ClusterRoleBindings`. + +Key components of RBAC in Kubernetes include: + +- **Roles and ClusterRoles:** + - **Roles:** These are specific to a namespace and define a set of permissions for resources within that namespace (e.g., pods, services). + - **ClusterRoles:** These are similar to roles but apply cluster-wide, spanning across all namespaces. +- **RoleBindings and ClusterRoleBindings:** + - **RoleBindings:** These associate a set of permissions defined in a Role with a user, group, or service account within a specific namespace. + - **ClusterRoleBindings:** These associate a set of permissions defined in a ClusterRole with a user, group, or service account across the entire cluster. +- **Subjects:** A subject in RBAC can be a user, a group, or a service account to which roles or cluster roles are bound. +- **Rules:** Rules are sets of permissions associated with roles or cluster roles. They specify what actions are allowed or denied on specific resources. + +RBAC works seamlessly with Scaleway's IAM (Identity and Access Maanagement) system. Refer to [How to manage Kubeconfig files with IAM](/containers/kubernetes/how-to/manage-kubeconfig-with-iam/) for information how to configure IAM permissions for your users. + +## Built-in IAM permissions + + + The cluster administrator can adjust each role's permissions by implementing a role binding for a specific user (e.g. `scaleway:bearer:773989c0-607c-4bb8-a5b8-867581b4e8d2`). This user will then acquire the permissions associated with the role. + It is also possible to adjust the roles permissions by creating a role binding for a group (e.g. `scaleway:groups:773989c0-607c-4bb8-a5b8-867581b4e8d2:devops`). In doing so, all members of that group will be granted the corresponding permissions inherent to the role. + + +### AllProductReadOnly or KubernetesReadOnly + +Users with the `AllProductReadOnly` or `KubernetesReadOnly` permission have no inherent permissions by default. + + + Without the configuration of additional role bindings, users do not possess any operational capabilities within the cluster. + + +### AllProductFullAccess + +The `AllProductFullAccess` permission grants full access to the Kubernetes cluster and all other Scaleway products of the user. Users with this permission can perform actions associated with the `scaleway:cluster-write` binding. + +### AllProductReadOnly (or KubernetesReadOnly) and KubernetesFullAccess: + +The `KubernetesFullAccess` permission provides access rights to users within the Kubernetes system. Users with this permission can perform any actions associated with the `scaleway:cluster-write` binding. + +### AllProductFullAccess (or KubernetesFullAccess) and KubernetesSystemMastersGroupAccess: + +The `KubernetesSystemMastersGroupAccess` permission grants users unrestricted access and they can perform any action on any resource within the Kubernetes cluster. +Users in this group are added to the `system:masters` cluster role. + + + This role overrides any RBAC permissions, allowing users with this role to bypass any restrictions set by other roles. + Due to its extended privileges, assigning the `system:masters` role should be done cautiously and limited to trusted administrators who require unrestricted control over the Kubernetes environment. + + +## Cluster role scaleway:cluster-write + +The custom `scaleway:cluster-write` cluster role, injected during cluster setup, provides users with write permissions for specific cluster-level resources. +Its manifest can be modified within your cluster to configure its permissions according to your specific needs. The default setting, denoted by an asterisk `*`, grants unrestricted access to the resources by default. Adjustments can be made to limit permissions based on your required levels of access. + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scaleway:cluster-write +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +- nonResourceURLs: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: scaleway:cluster-write +subjects: +- kind: Group + name: scaleway:cluster-write +roleRef: + kind: ClusterRole + name: scaleway:cluster-write + apiGroup: rbac.authorization.k8s.io +``` + +### Role and binding examples for users and groups + +The following example grants access to the `example-namespace` namespace for the `Devops` group within the `scaleway:groups:3972be4a-43d9-43da-9a55-195f1de9b770`. It involves creating a role binding. This binding aligns the specified group with the necessary permissions, enabling access to resources within the specified namespace. + +```yaml +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: devops-example-namespace-full-access + namespace: example-namespace +rules: +- apiGroups: [""] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["extensions"] + resources: ["*"] + verbs: ["*"] + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: devops-rolebinding + namespace: example-namespace +subjects: +- kind: Group + name: scaleway:groups:3972be4a-43d9-43da-9a55-195f1de9b770:Devops + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: devops-example-namespace-full-access + apiGroup: rbac.authorization.k8s.io +``` + +The following example provides read access to the `example-namespace` namespace for the user identified as `scaleway:bearer:773989c0-607c-4bb8-a5b8-867581b4e8d2` and involves creating a role binding. This binding associates the specified user with the necessary permissions, allowing the user to read resources within the specified namespace. + +```yaml +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: toto-read + namespace: example-namespace +rules: +- apiGroups: [""] + resources: ["*"] + verbs: ["list", "get"] +- apiGroups: ["extensions"] + resources: ["*"] + verbs: ["list","get"] + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: toto-rolebinding + namespace: example-namespace +subjects: +- kind: User + name: scaleway:bearer:773989c0-607c-4bb8-a5b8-867581b4e8d2 + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: toto-read + apiGroup: rbac.authorization.k8s.io +``` + +For more information how to use RBAC with your Kubernetes clusters, refer to the official [Kubernetes documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/). \ No newline at end of file diff --git a/menu/navigation.json b/menu/navigation.json index 347c9a4ed9..33a6af3a00 100644 --- a/menu/navigation.json +++ b/menu/navigation.json @@ -1382,6 +1382,10 @@ "label": "Manage a Kosmos cluster", "slug": "edit-kosmos-cluster" }, + { + "label": "Manage Kubeconfig files with IAM", + "slug": "manage-kubeconfig-with-iam" + }, { "label": "Connect to a cluster with kubectl", "slug": "connect-cluster-kubectl" @@ -1498,6 +1502,10 @@ "label": "Ensuring resiliency with Multi-AZ clusters", "slug": "multi-az-clusters" }, + { + "label": "Setting IAM permissions and implement RBAC on a cluster", + "slug": "set-iam-permissions-and-implement-rbac" + }, { "label": "Exposing Kubernetes services to the internet", "slug": "exposing-services" From a4762b5fc225db962fbfb4f247f37e1f61312391 Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Tue, 9 Jan 2024 16:20:46 +0100 Subject: [PATCH 05/23] feat(k8s): fix typo --- containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx index c3b83a8396..cc31fca276 100644 --- a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx +++ b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx @@ -32,7 +32,7 @@ Scaleway's Identity and Access Management (IAM) is now being used to generate Ku An [IAM policy](https://www.scaleway.com/en/docs/identity-and-access-management/iam/concepts/#policy) defines the permissions for users, groups, and applications within an Organization. It consists of a [principal](https://www.scaleway.com/en/docs/identity-and-access-management/iam/concepts/#principal) (the user, group, or application to which it applies) and IAM rules that specify permission sets and their scope. -The [combination of IAM and Kubernetes RBAC](http://localhost:8003/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) allows to define finely granulated access levels for cluster users. +The [combination of IAM and Kubernetes RBAC](/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) allows to define finely granulated access levels for cluster users. Entering a deprecation cycle, the former authentication system (using static admin tokens) remains active until Q4/2024: all your legacy Kubeconfig files keep access to their clusters for the time being. For security measure you can still make use of the "reset admin token" feature !!!ADD LINK HERE!!!, either through our Kubernetes API or Scaleway’s CLI. From 8db5b02125015b6ae39cb281939519d7780062b5 Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Tue, 9 Jan 2024 16:22:07 +0100 Subject: [PATCH 06/23] Update containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx --- containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx index cc31fca276..1c058dbf81 100644 --- a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx +++ b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx @@ -36,7 +36,7 @@ The [combination of IAM and Kubernetes RBAC](/containers/kubernetes/reference-co Entering a deprecation cycle, the former authentication system (using static admin tokens) remains active until Q4/2024: all your legacy Kubeconfig files keep access to their clusters for the time being. For security measure you can still make use of the "reset admin token" feature !!!ADD LINK HERE!!!, either through our Kubernetes API or Scaleway’s CLI. - We recommend users to download new unique, identifiable Kubeconfig files with IAM tokens inside. + We recommend to download and use new unique, identifiable Kubeconfig files with IAM tokens inside. From b414214f70670ffd88328b8437ec64812e9518ea Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Tue, 9 Jan 2024 16:22:50 +0100 Subject: [PATCH 07/23] Apply suggestions from code review --- containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx index 1c058dbf81..3cf3675fca 100644 --- a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx +++ b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx @@ -48,7 +48,7 @@ The [combination of IAM and Kubernetes RBAC](/containers/kubernetes/reference-co ## Setting up access -1. [Create a group](/identity-and-access-management/iam/how-to/create-group/) named `k8s-group` that contains the user and the application, so they are the only ones to have access to Object Storage. +1. [Create a group](/identity-and-access-management/iam/how-to/create-group/) named `k8s-group` that contains the user and the application, so they are the only ones to have access to your cluster. 2. [Create an IAM policy](/identity-and-access-management/iam/how-to/create-policy/) named `k8s-policy` in the Scaleway console, with the previously created group as a [principal](/identity-and-access-management/iam/concepts/#principal). Apply the corresponding IAM policy to the group. For example `KubernetesFullAccess`. Refer to [Setting IAM permissions and implement RBAC on a cluster](/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) for a detailed overview about the available IAM permissions and how to fine-tune them using Kubernetes RBAC. From 6a5b1dfc2578eecd92e3a1e9d614c0f34e4ca29b Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Tue, 9 Jan 2024 16:24:49 +0100 Subject: [PATCH 08/23] Update containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx Co-authored-by: Jessica <113192637+jcirinosclwy@users.noreply.github.com> --- .../set-iam-permissions-and-implement-rbac.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx b/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx index c48d4504db..d34a5a1334 100644 --- a/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx +++ b/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx @@ -56,7 +56,7 @@ The `KubernetesFullAccess` permission provides access rights to users within the ### AllProductFullAccess (or KubernetesFullAccess) and KubernetesSystemMastersGroupAccess: -The `KubernetesSystemMastersGroupAccess` permission grants users unrestricted access and they can perform any action on any resource within the Kubernetes cluster. +The `KubernetesSystemMastersGroupAccess` permission grants users unrestricted access, and they can perform any action on any resource within the Kubernetes cluster. Users in this group are added to the `system:masters` cluster role. From 1e1b9cb51e27a3781903e5c994427dc605266420 Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Tue, 9 Jan 2024 16:25:16 +0100 Subject: [PATCH 09/23] Apply suggestions from code review --- containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx index 3cf3675fca..12cbb0b470 100644 --- a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx +++ b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx @@ -32,7 +32,7 @@ Scaleway's Identity and Access Management (IAM) is now being used to generate Ku An [IAM policy](https://www.scaleway.com/en/docs/identity-and-access-management/iam/concepts/#policy) defines the permissions for users, groups, and applications within an Organization. It consists of a [principal](https://www.scaleway.com/en/docs/identity-and-access-management/iam/concepts/#principal) (the user, group, or application to which it applies) and IAM rules that specify permission sets and their scope. -The [combination of IAM and Kubernetes RBAC](/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) allows to define finely granulated access levels for cluster users. +The [combination of IAM and Kubernetes RBAC](/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) allows defining fine-grained access levels for cluster users. Entering a deprecation cycle, the former authentication system (using static admin tokens) remains active until Q4/2024: all your legacy Kubeconfig files keep access to their clusters for the time being. For security measure you can still make use of the "reset admin token" feature !!!ADD LINK HERE!!!, either through our Kubernetes API or Scaleway’s CLI. From d0236d7225418929f0937bd3fad4ee067f0566b4 Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Tue, 9 Jan 2024 16:26:20 +0100 Subject: [PATCH 10/23] fix typo --- containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx index 12cbb0b470..c371a91971 100644 --- a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx +++ b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx @@ -15,7 +15,7 @@ categories: A Kubeconfig file serves as a repository for essential credentials required to access a Kubernetes cluster and manage deployments. -This file contains critical information, including cluster details, authentication data, and context information, allowing users to oversee and configure their Kubernetes clusters effectively. +This file contains critical information, including cluster details, authentication data, and context information, allowing users to oversee and configure their Kubernetes clusters. Scaleway's Identity and Access Management (IAM) is now being used to generate Kubeconfig files. This integration offers several advantages: From 2b46079fb5e241833dc8c07e1c038a752ce04724 Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Tue, 9 Jan 2024 16:28:30 +0100 Subject: [PATCH 11/23] Update containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx --- .../set-iam-permissions-and-implement-rbac.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx b/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx index d34a5a1334..9e2590e6f4 100644 --- a/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx +++ b/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx @@ -101,7 +101,7 @@ roleRef: ### Role and binding examples for users and groups -The following example grants access to the `example-namespace` namespace for the `Devops` group within the `scaleway:groups:3972be4a-43d9-43da-9a55-195f1de9b770`. It involves creating a role binding. This binding aligns the specified group with the necessary permissions, enabling access to resources within the specified namespace. +The following example grants access to the `example-namespace` namespace for the `Devops` group within `scaleway:groups:3972be4a-43d9-43da-9a55-195f1de9b770`. It involves creating a role binding. This binding aligns the specified group with the necessary permissions, enabling access to resources within the specified namespace. ```yaml kind: Role From e729fc719f85388013d06f5da5c8236d3b4fd72b Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Tue, 9 Jan 2024 16:33:01 +0100 Subject: [PATCH 12/23] Apply suggestions from code review Co-authored-by: Jessica <113192637+jcirinosclwy@users.noreply.github.com> --- containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx index c371a91971..f62e227b04 100644 --- a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx +++ b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx @@ -35,7 +35,7 @@ An [IAM policy](https://www.scaleway.com/en/docs/identity-and-access-management/ The [combination of IAM and Kubernetes RBAC](/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) allows defining fine-grained access levels for cluster users. - Entering a deprecation cycle, the former authentication system (using static admin tokens) remains active until Q4/2024: all your legacy Kubeconfig files keep access to their clusters for the time being. For security measure you can still make use of the "reset admin token" feature !!!ADD LINK HERE!!!, either through our Kubernetes API or Scaleway’s CLI. + Entering a deprecation cycle, the former authentication system (using static admin tokens) remains active until Q4/2024: all your legacy Kubeconfig files keep access to their clusters for the time being. For security measure, you can still use the "reset admin token" feature !!!ADD LINK HERE!!!, either through our Kubernetes API or Scaleway’s CLI. We recommend to download and use new unique, identifiable Kubeconfig files with IAM tokens inside. @@ -49,7 +49,7 @@ The [combination of IAM and Kubernetes RBAC](/containers/kubernetes/reference-co ## Setting up access 1. [Create a group](/identity-and-access-management/iam/how-to/create-group/) named `k8s-group` that contains the user and the application, so they are the only ones to have access to your cluster. -2. [Create an IAM policy](/identity-and-access-management/iam/how-to/create-policy/) named `k8s-policy` in the Scaleway console, with the previously created group as a [principal](/identity-and-access-management/iam/concepts/#principal). Apply the corresponding IAM policy to the group. For example `KubernetesFullAccess`. +2. [Create an IAM policy](/identity-and-access-management/iam/how-to/create-policy/) named `k8s-policy` in the Scaleway console, with the previously created group as a [principal](/identity-and-access-management/iam/concepts/#principal). Apply the corresponding IAM policy to the group. For example, `KubernetesFullAccess`. Refer to [Setting IAM permissions and implement RBAC on a cluster](/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) for a detailed overview about the available IAM permissions and how to fine-tune them using Kubernetes RBAC. From 52d77a9b3539fa373c1dce8e290b381f19abb6fc Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Tue, 9 Jan 2024 16:34:19 +0100 Subject: [PATCH 13/23] Apply suggestions from code review Co-authored-by: nerda-codes <87707325+nerda-codes@users.noreply.github.com> --- containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx | 2 +- .../set-iam-permissions-and-implement-rbac.mdx | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx index f62e227b04..46883ec976 100644 --- a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx +++ b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx @@ -22,7 +22,7 @@ Scaleway's Identity and Access Management (IAM) is now being used to generate Ku - **Improved user administration:** - When removing a cluster user, there is no longer a need to reset the admin token, mitigating security risks. - **Increased Cluster Security:** - - Each user possesses a unique credential, enhancing security. + - Each user has unique credentials, enhancing security. - Audit logs facilitate the identification of specific Kubernetes users. - **Enhanced Application Security:** - Applications within the cluster are authenticated using specific tokens. diff --git a/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx b/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx index 9e2590e6f4..0a152e1a56 100644 --- a/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx +++ b/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx @@ -24,7 +24,7 @@ Key components of RBAC in Kubernetes include: - **Roles:** These are specific to a namespace and define a set of permissions for resources within that namespace (e.g., pods, services). - **ClusterRoles:** These are similar to roles but apply cluster-wide, spanning across all namespaces. - **RoleBindings and ClusterRoleBindings:** - - **RoleBindings:** These associate a set of permissions defined in a Role with a user, group, or service account within a specific namespace. + - **RoleBindings:** These associate a set of permissions defined in a role with a user, group, or service account within a specific namespace. - **ClusterRoleBindings:** These associate a set of permissions defined in a ClusterRole with a user, group, or service account across the entire cluster. - **Subjects:** A subject in RBAC can be a user, a group, or a service account to which roles or cluster roles are bound. - **Rules:** Rules are sets of permissions associated with roles or cluster roles. They specify what actions are allowed or denied on specific resources. @@ -35,7 +35,7 @@ RBAC works seamlessly with Scaleway's IAM (Identity and Access Maanagement) syst The cluster administrator can adjust each role's permissions by implementing a role binding for a specific user (e.g. `scaleway:bearer:773989c0-607c-4bb8-a5b8-867581b4e8d2`). This user will then acquire the permissions associated with the role. - It is also possible to adjust the roles permissions by creating a role binding for a group (e.g. `scaleway:groups:773989c0-607c-4bb8-a5b8-867581b4e8d2:devops`). In doing so, all members of that group will be granted the corresponding permissions inherent to the role. + It is also possible to adjust the roles permissions by creating a role binding for a group (e.g. `scaleway:groups:773989c0-607c-4bb8-a5b8-867581b4e8d2:devops`). In doing so, all members of that group will be granted the permissions inherent to the role. ### AllProductReadOnly or KubernetesReadOnly From 512801122cb76eb9a095d833aa89b635b042856f Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Tue, 9 Jan 2024 16:36:22 +0100 Subject: [PATCH 14/23] added link --- containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx index 46883ec976..38f2c09dbc 100644 --- a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx +++ b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx @@ -35,7 +35,7 @@ An [IAM policy](https://www.scaleway.com/en/docs/identity-and-access-management/ The [combination of IAM and Kubernetes RBAC](/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) allows defining fine-grained access levels for cluster users. - Entering a deprecation cycle, the former authentication system (using static admin tokens) remains active until Q4/2024: all your legacy Kubeconfig files keep access to their clusters for the time being. For security measure, you can still use the "reset admin token" feature !!!ADD LINK HERE!!!, either through our Kubernetes API or Scaleway’s CLI. + Entering a deprecation cycle, the former authentication system (using static admin tokens) remains active until Q4/2024: all your legacy Kubeconfig files keep access to their clusters for the time being. For security measure, you can still use the ["reset admin token" feature](/containers/kubernetes/how-to/revoke-kubeconfig/), either through our Kubernetes API or Scaleway’s CLI. We recommend to download and use new unique, identifiable Kubeconfig files with IAM tokens inside. From 4868e27e969046d0f1e3133072d65184a67d4bc9 Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Tue, 9 Jan 2024 17:48:03 +0100 Subject: [PATCH 15/23] Apply suggestions from code review Co-authored-by: ldecarvalho-doc <82805470+ldecarvalho-doc@users.noreply.github.com> --- .../kubernetes/how-to/manage-kubeconfig-with-iam.mdx | 2 +- .../set-iam-permissions-and-implement-rbac.mdx | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx index 38f2c09dbc..f62d00d36e 100644 --- a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx +++ b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx @@ -35,7 +35,7 @@ An [IAM policy](https://www.scaleway.com/en/docs/identity-and-access-management/ The [combination of IAM and Kubernetes RBAC](/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) allows defining fine-grained access levels for cluster users. - Entering a deprecation cycle, the former authentication system (using static admin tokens) remains active until Q4/2024: all your legacy Kubeconfig files keep access to their clusters for the time being. For security measure, you can still use the ["reset admin token" feature](/containers/kubernetes/how-to/revoke-kubeconfig/), either through our Kubernetes API or Scaleway’s CLI. + Entering a deprecation cycle, the former authentication system (using static admin tokens) remains active until the second half of 2024: all your legacy Kubeconfig files keep access to their clusters for the time being. For security purposes, you can still use the ["reset admin token" feature](/containers/kubernetes/how-to/revoke-kubeconfig/), either through our Kubernetes API or Scaleway’s CLI. We recommend to download and use new unique, identifiable Kubeconfig files with IAM tokens inside. diff --git a/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx b/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx index 0a152e1a56..6c597ab09e 100644 --- a/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx +++ b/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx @@ -13,7 +13,7 @@ categories: - kubernetes --- -Role-based access control (RBAC) is a native feature of Kubernetes and a method of regulating access to computer or network resources based on the roles of individual users within your Organization. +Role-based access control (RBAC) is a native feature of Kubernetes and a method of regulating access to compute or network resources based on the roles of individual users within your Organization. The feature is activated on Scaleway Kubernetes Kapsule and Kosmos by default and is compatible with Scaleway's IAM service. IAM and RBAC work together by integrating Scaleway’s identity and access management with Kubernetes' native RBAC system. This integration ensures that access permissions are consistent across both the cloud infrastructure and the Kubernetes cluster, providing a secure access control mechanism. It allows you to assign roles to users, groups or `ServicesAccount` via `RoleBindings` and `ClusterRoleBindings`. @@ -40,7 +40,7 @@ RBAC works seamlessly with Scaleway's IAM (Identity and Access Maanagement) syst ### AllProductReadOnly or KubernetesReadOnly -Users with the `AllProductReadOnly` or `KubernetesReadOnly` permission have no inherent permissions by default. +Users with the `AllProductReadOnly` or `KubernetesReadOnly` permission set have no inherent permissions by default. Without the configuration of additional role bindings, users do not possess any operational capabilities within the cluster. @@ -48,11 +48,11 @@ Users with the `AllProductReadOnly` or `KubernetesReadOnly` permission have no i ### AllProductFullAccess -The `AllProductFullAccess` permission grants full access to the Kubernetes cluster and all other Scaleway products of the user. Users with this permission can perform actions associated with the `scaleway:cluster-write` binding. +The `AllProductFullAccess` permission set grants full access to the Kubernetes cluster and all other Scaleway products of the user. Users with this permission set can perform actions associated with the `scaleway:cluster-write` binding. ### AllProductReadOnly (or KubernetesReadOnly) and KubernetesFullAccess: -The `KubernetesFullAccess` permission provides access rights to users within the Kubernetes system. Users with this permission can perform any actions associated with the `scaleway:cluster-write` binding. +The `KubernetesFullAccess` permission set provides access rights to users within the Kubernetes system. Users with this permission set can perform any actions associated with the `scaleway:cluster-write` binding. ### AllProductFullAccess (or KubernetesFullAccess) and KubernetesSystemMastersGroupAccess: @@ -60,7 +60,7 @@ The `KubernetesSystemMastersGroupAccess` permission grants users unrestricted ac Users in this group are added to the `system:masters` cluster role. - This role overrides any RBAC permissions, allowing users with this role to bypass any restrictions set by other roles. + The `system:masters` role overrides any RBAC permissions, allowing users with this role to bypass any restrictions set by other roles. Due to its extended privileges, assigning the `system:masters` role should be done cautiously and limited to trusted administrators who require unrestricted control over the Kubernetes environment. From 6451b43ebac7c2d8cdd08c87c23f8eb1b2b57797 Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Tue, 9 Jan 2024 17:48:27 +0100 Subject: [PATCH 16/23] Apply suggestions from code review Co-authored-by: ldecarvalho-doc <82805470+ldecarvalho-doc@users.noreply.github.com> --- .../set-iam-permissions-and-implement-rbac.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx b/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx index 6c597ab09e..28af5798fe 100644 --- a/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx +++ b/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx @@ -15,7 +15,7 @@ categories: Role-based access control (RBAC) is a native feature of Kubernetes and a method of regulating access to compute or network resources based on the roles of individual users within your Organization. The feature is activated on Scaleway Kubernetes Kapsule and Kosmos by default and is compatible with Scaleway's IAM service. -IAM and RBAC work together by integrating Scaleway’s identity and access management with Kubernetes' native RBAC system. This integration ensures that access permissions are consistent across both the cloud infrastructure and the Kubernetes cluster, providing a secure access control mechanism. +IAM and RBAC work together by integrating Scaleway’s Identity and Access Management with Kubernetes' native RBAC system. This integration ensures that access permissions are consistent across both the cloud infrastructure and the Kubernetes cluster, providing a secure access control mechanism. It allows you to assign roles to users, groups or `ServicesAccount` via `RoleBindings` and `ClusterRoleBindings`. Key components of RBAC in Kubernetes include: From 1edbe0b4606a76cc84c9399bc3255b3071206cfa Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Wed, 10 Jan 2024 14:28:18 +0100 Subject: [PATCH 17/23] fixed permission set order --- .../set-iam-permissions-and-implement-rbac.mdx | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx b/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx index 28af5798fe..664c26025f 100644 --- a/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx +++ b/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx @@ -31,7 +31,7 @@ Key components of RBAC in Kubernetes include: RBAC works seamlessly with Scaleway's IAM (Identity and Access Maanagement) system. Refer to [How to manage Kubeconfig files with IAM](/containers/kubernetes/how-to/manage-kubeconfig-with-iam/) for information how to configure IAM permissions for your users. -## Built-in IAM permissions +## Built-in IAM permission sets The cluster administrator can adjust each role's permissions by implementing a role binding for a specific user (e.g. `scaleway:bearer:773989c0-607c-4bb8-a5b8-867581b4e8d2`). This user will then acquire the permissions associated with the role. @@ -46,14 +46,10 @@ Users with the `AllProductReadOnly` or `KubernetesReadOnly` permission set have Without the configuration of additional role bindings, users do not possess any operational capabilities within the cluster. -### AllProductFullAccess +### AllProductFullAccess or KubernetesFullAccess The `AllProductFullAccess` permission set grants full access to the Kubernetes cluster and all other Scaleway products of the user. Users with this permission set can perform actions associated with the `scaleway:cluster-write` binding. -### AllProductReadOnly (or KubernetesReadOnly) and KubernetesFullAccess: - -The `KubernetesFullAccess` permission set provides access rights to users within the Kubernetes system. Users with this permission set can perform any actions associated with the `scaleway:cluster-write` binding. - ### AllProductFullAccess (or KubernetesFullAccess) and KubernetesSystemMastersGroupAccess: The `KubernetesSystemMastersGroupAccess` permission grants users unrestricted access, and they can perform any action on any resource within the Kubernetes cluster. From fce331fff021e58ea81468168187a719a58e6bcc Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Fri, 12 Jan 2024 13:57:13 +0100 Subject: [PATCH 18/23] add link --- containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx index f62d00d36e..5b80034b48 100644 --- a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx +++ b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx @@ -26,13 +26,13 @@ Scaleway's Identity and Access Management (IAM) is now being used to generate Ku - Audit logs facilitate the identification of specific Kubernetes users. - **Enhanced Application Security:** - Applications within the cluster are authenticated using specific tokens. - - This authentication method is particularly useful when a pod needs to interact with the Kubernetes API, as it can authenticate using its associated Service Account. + - This authentication method is particularly useful when a pod needs to interact with the Kubernetes API, as it can authenticate using its associated [Service Account](https://kubernetes.io/docs/concepts/security/service-accounts/). [Identity and Access Management (IAM)](https://www.scaleway.com/en/docs/identity-and-access-management/iam/concepts/#iam) provides control over resource access. IAM policies enable the configuration of permissions for Kubernetes Kapsule clusters at the Project level. An [IAM policy](https://www.scaleway.com/en/docs/identity-and-access-management/iam/concepts/#policy) defines the permissions for users, groups, and applications within an Organization. It consists of a [principal](https://www.scaleway.com/en/docs/identity-and-access-management/iam/concepts/#principal) (the user, group, or application to which it applies) and IAM rules that specify permission sets and their scope. -The [combination of IAM and Kubernetes RBAC](/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) allows defining fine-grained access levels for cluster users. +The [combination of IAM and Kubernetes RBAC (Role-based Acccess Control)](/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) allows defining fine-grained access levels for cluster users. Entering a deprecation cycle, the former authentication system (using static admin tokens) remains active until the second half of 2024: all your legacy Kubeconfig files keep access to their clusters for the time being. For security purposes, you can still use the ["reset admin token" feature](/containers/kubernetes/how-to/revoke-kubeconfig/), either through our Kubernetes API or Scaleway’s CLI. From 2081f997f7fa8c1f47794b9a0a53889c0e78c687 Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Thu, 4 Jul 2024 11:49:46 +0200 Subject: [PATCH 19/23] Apply suggestions from code review --- containers/kubernetes/how-to/connect-cluster-kubectl.mdx | 8 -------- 1 file changed, 8 deletions(-) diff --git a/containers/kubernetes/how-to/connect-cluster-kubectl.mdx b/containers/kubernetes/how-to/connect-cluster-kubectl.mdx index cc7634827d..1f41d4bcc7 100644 --- a/containers/kubernetes/how-to/connect-cluster-kubectl.mdx +++ b/containers/kubernetes/how-to/connect-cluster-kubectl.mdx @@ -42,11 +42,3 @@ Once your [cluster is created](/containers/kubernetes/how-to/create-cluster/), a kubectl get nodes ``` -<<<<<<< HEAD - -======= - - How to manage Kubeconfig files with IAM - How to deploy an image from Container Registry - ->>>>>>> 17c4e486d (feat(k8s): iam and rbac) From 1d8177a226c5429bb8159db90899c354ef8d4ec4 Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Thu, 4 Jul 2024 11:50:10 +0200 Subject: [PATCH 20/23] Update containers/kubernetes/how-to/edit-kosmos-cluster.mdx --- containers/kubernetes/how-to/edit-kosmos-cluster.mdx | 7 ------- 1 file changed, 7 deletions(-) diff --git a/containers/kubernetes/how-to/edit-kosmos-cluster.mdx b/containers/kubernetes/how-to/edit-kosmos-cluster.mdx index acfee21145..bd40254dc9 100644 --- a/containers/kubernetes/how-to/edit-kosmos-cluster.mdx +++ b/containers/kubernetes/how-to/edit-kosmos-cluster.mdx @@ -112,10 +112,3 @@ The Kubernetes version of the existing nodes in your multi-cloud pool can be upg 4. Detach the older node in Scaleway API. -<<<<<<< HEAD -======= - - How to create a Kosmos cluster - How to manage Kubeconfig files with IAM - ->>>>>>> 17c4e486d (feat(k8s): iam and rbac) From 99a7a13e8df142742dce5a0d83ecf53c2556bd9b Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Tue, 30 Jul 2024 11:40:24 +0200 Subject: [PATCH 21/23] feat(k8s): update content --- .../how-to/manage-kubeconfig-with-iam.mdx | 13 ++++--------- .../set-iam-permissions-and-implement-rbac.mdx | 8 ++++---- 2 files changed, 8 insertions(+), 13 deletions(-) diff --git a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx index 5b80034b48..8e0d6c4ff0 100644 --- a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx +++ b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx @@ -1,14 +1,14 @@ --- meta: title: How to manage Kubeconfig files with IAM - description: This page explains how to manage Kubeconfig files with IAM + description: This page explains how to manage Scaleway Kubeconfig files with IAM content: h1: How to manage Kubeconfig files with IAM - paragraph: This page explains how to manage Kubeconfig files with IAM + paragraph: This page explains how to manage Scaleway Kubeconfig files with IAM tags: kubernetes kapsule-cluser dates: - validation: 2024-01-09 - posted: 2024-01-09 + validation: 2024-07-30 + posted: 2024-07- categories: - kubernetes --- @@ -64,8 +64,3 @@ The [combination of IAM and Kubernetes RBAC (Role-based Acccess Control)](/conta 6. Download the kubeconfig file and export the path to start using it with `kubectl`. You can now manage your cluster using `kubectl`. For more information about this tool, refer to the [official kubectl documentation](https://kubernetes.io/docs/reference/kubectl/). - - - How to manage a Kosmos cluster - How to connect to a cluster with kubectl - diff --git a/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx b/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx index 664c26025f..d42eafe2ec 100644 --- a/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx +++ b/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx @@ -1,14 +1,14 @@ --- meta: title: Setting IAM permissions and implement RBAC on a cluster - description: This page explains how to set IAM permissions and implement RBAC on a cluster + description: This page explains how to set IAM permissions and implement RBAC on a Scaleway Kubernetes cluster content: h1: Setting IAM permissions and implement RBAC on a cluster - paragraph: This page explains how to set IAM permissions and implement RBAC on a cluster + paragraph: This page explains how to set IAM permissions and implement RBAC on a Scaleway Kubernetes cluster tags: kubernetes kapsule-cluser dates: - validation: 2024-01-09 - posted: 2024-01-09 + validation: 2024-07-30 + posted: 2024-07-30 categories: - kubernetes --- From ff9016605097950c90f420b9093a62cf0a337c1d Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Mon, 4 Nov 2024 13:32:39 +0100 Subject: [PATCH 22/23] Update containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx --- containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx index 8e0d6c4ff0..854f7bd05e 100644 --- a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx +++ b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx @@ -7,8 +7,8 @@ content: paragraph: This page explains how to manage Scaleway Kubeconfig files with IAM tags: kubernetes kapsule-cluser dates: - validation: 2024-07-30 - posted: 2024-07- + validation: 2024-11-05 + posted: 2024-11-05 categories: - kubernetes --- From 0934512cdad17db988c2101aec2e58223bf1105d Mon Sep 17 00:00:00 2001 From: Jessica <113192637+jcirinosclwy@users.noreply.github.com> Date: Mon, 2 Dec 2024 13:41:42 +0100 Subject: [PATCH 23/23] Apply suggestions from code review Co-authored-by: Rowena Jones <36301604+RoRoJ@users.noreply.github.com> --- .../kubernetes/how-to/manage-kubeconfig-with-iam.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx index 854f7bd05e..3c499cde8a 100644 --- a/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx +++ b/containers/kubernetes/how-to/manage-kubeconfig-with-iam.mdx @@ -21,10 +21,10 @@ Scaleway's Identity and Access Management (IAM) is now being used to generate Ku - **Improved user administration:** - When removing a cluster user, there is no longer a need to reset the admin token, mitigating security risks. -- **Increased Cluster Security:** +- **Increased cluster security:** - Each user has unique credentials, enhancing security. - Audit logs facilitate the identification of specific Kubernetes users. -- **Enhanced Application Security:** +- **Enhanced application security:** - Applications within the cluster are authenticated using specific tokens. - This authentication method is particularly useful when a pod needs to interact with the Kubernetes API, as it can authenticate using its associated [Service Account](https://kubernetes.io/docs/concepts/security/service-accounts/). @@ -32,11 +32,11 @@ Scaleway's Identity and Access Management (IAM) is now being used to generate Ku An [IAM policy](https://www.scaleway.com/en/docs/identity-and-access-management/iam/concepts/#policy) defines the permissions for users, groups, and applications within an Organization. It consists of a [principal](https://www.scaleway.com/en/docs/identity-and-access-management/iam/concepts/#principal) (the user, group, or application to which it applies) and IAM rules that specify permission sets and their scope. -The [combination of IAM and Kubernetes RBAC (Role-based Acccess Control)](/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) allows defining fine-grained access levels for cluster users. +The [combination of IAM and Kubernetes RBAC (Role-based Acccess Control)](/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) allows you to define fine-grained access levels for cluster users. Entering a deprecation cycle, the former authentication system (using static admin tokens) remains active until the second half of 2024: all your legacy Kubeconfig files keep access to their clusters for the time being. For security purposes, you can still use the ["reset admin token" feature](/containers/kubernetes/how-to/revoke-kubeconfig/), either through our Kubernetes API or Scaleway’s CLI. - We recommend to download and use new unique, identifiable Kubeconfig files with IAM tokens inside. + We recommend that you download and use new unique, identifiable Kubeconfig files with IAM tokens inside.