In KubeVela v1.4, Authentication & Authorization mechanism is introduced. This allows applications to dispatch and manage resources using the identity of the application's creator/modifier. With this feature, it will be easy to limit the access of KubeVela users/applications and isolate their living spaces, which will make your KubeVela system safer.
To enable Authentication & Authorization in your KubeVela system, you need to do the following steps
Delete the ClusterRoleBinding ends with
vela-core:manager-rolebinding. Usually you can do it through:kubectl delete ClusterRoleBinding kubevela-vela-core:manager-rolebinding
Upgrade the controller, and wait for the installation finished:helm upgrade --install kubevela kubevela/vela-core --create-namespace -n vela-system --set authentication.enabled=true --set authentication.withUser=true --wait
Make sure your version Vela CLI v1.4.1+, refer to the installation guide.
(Optional) Install vela-prism through running the following commands, which will allow you to enjoy the advanced API extensions in KubeVela.helm repo add prism https://charts.kubevela.net/prismhelm repo updatehelm install vela-prism prism/vela-prism -n vela-system
- Before we start, assume we already have two managed clusters joined in KubeVela, called
c3. You can refer to the multi-cluster document and see how to join managed clusters into KubeVela control plane.
- Let's start with a new coming user named Alice. As the system administrator, you can assign a KubeConfig for Alice to use.
- Now alice is unabled to do anything in the cluster with the given KubeConfig. We can grant her the privileges of Read/Write resources in the
devnamespace of the control plane and managed cluster
- We can check the privileges of Alice by the following command
Alice don't have any privilege in local cluster while she have read/write capability in namespace(dev) of cluster(c2).
- Alice can create an application in the dev namespace now. The application can also dispatch resources into the dev namespace of cluster
- Alice can see the the application is successfully deployed.
- If Alice wants to access resources outside the dev namespace, she will be forbidden to do so.
- If Alice try to create a application in the dev namespace and the application intends to dispatch resources in
c3cluster (which Alice does not have the privileges), the application will not be able to do so.
Alice create the application
Alice checks the status of
podinfo-bad, the error message will be shown.
- Let's create a new KubeConfig for another new User Bob. Bob will only be granted with the readonly privileges for the resources in the dev namespace of the control plane and cluster
- User Bob can see the applications and their status under the namespace of dev.
- But he is forbidden to do any mutating actions, such as deleting application in dev namespace.
- Instead, User Alice can delete application.
- (Optional) After
vela-prisminstalled, you will be able to list resources of the application through the following command
Notice that if
vela-prismis not installed, Alice and Bob will be forbidden to run this listing command.
The guide above demonstrates how system operators can grant limited privileges for users and therefore restrict the access of their created applications. For more detail explanation on how this capability is achieved, read the Underlying Mechanism article.
As the platform builder, you may want to bind KubeVela application with your customized identity. For example, using a manual specified ServiceAccount for the application. If you want to do so, it is not mandatory to enable the Authentication feature flag in KubeVela. Read the System Integration for more details.