Cloud Services

Container Cluster Management

Cluster access control
Published On Dec 12, 2024 - 2:08 PM

Cluster access control

Manage your Kubernetes cluster access using a role-based approach.
The Container Cluster Management – Cluster Access Control section provides a role-based access control management system for Kubernetes clusters. Use the following procedure to connect to Access Control:
  1. Log into Container Cluster Management. To learn more about navigating to the different services from each tenant, refer to Kyndryl ModernOps landing page or Kyndryl Bridge Landing page navigation.
  2. Proceed to the CCM main dashboard. This serves as the central hub for all cluster management activities.
  3. In the dashboard, locate the
    Cluster table
    , positioned towards the bottom of the interface. This table lists all the clusters available under your management.
  4. Identify and choose a cluster by selecting the cluster name in the
    Cluster table
    . This action will direct you to a detailed view of the selected cluster.
  5. Within the cluster details view, navigate to the
    Access control
    tab. Here, you will find options to view and manage Persistent Volumes, Persistent Volume Claims, and Storage Classes associated with the selected cluster.

Access Control

The Access Control in Kubernetes includes the following sections:
  • Cluster roles:
    • A non-namespaced resource. It's assigned names like Role and ClusterRole because Kubernetes objects are either namespaced or not. Uses:
      1. Set permissions on namespaced resources within individual namespace(s).
      2. Grant permissions on namespaced resources across all namespaces.
      3. Define permissions on cluster-scoped resources.
  • Roles:
    • Always sets permissions within a specified namespace. When creating a Role, the namespace it pertains to must be specified.
  • Cluster role bindings:
    • While a RoleBinding provides permissions within a particular namespace, a ClusterRoleBinding offers that access across the entire cluster.
  • Role bindings:
    • Grants the permissions as defined in a role to specific users or groups. It contains a list of subjects (users, groups, or service accounts) and references the role that is being granted. Grants permissions within a specified namespace.
  • Service accounts:
    • These are Kubernetes resources managed via the Kubernetes API. It is intended for in-cluster entities like Pods to authenticate to the Kubernetes API server or external services.

Cluster roles

On the cluster roles page, you'll find a comprehensive view of all cluster roles for your cluster. The table displays:
  • Name:
    Name of the cluster role.
    Age:
    The duration since the cluster role was created.
  • duration
To explore more details about a cluster role, select either the entire row or the
View details
option.
This will present the cluster role's details in a side panel which includes:
  • Cluster role name
    as the panel title,
    Labels
    , and
    Annotations
    .
  • Rules:
    Displays the Rules table showcasing
    Resources
    ,
    Verbs
    , and
    API Groups
    .
  • Raw JSON:
    Contains JSON data from the cluster roles API exposed by Kubernetes.

Roles

The roles page overviews all roles for a particular cluster within a selected namespace. The table displays:
  • Name:
    Name of the role.
  • Namespace:
    The namespace within which the roles are created.
  • Age:
    The duration since the role has been set.
To delve into a role's details, select the row or the
View details
option. A side panel will display:
  • Role name
    as the panel title,
    Labels
    , and
    Annotations
    .
  • Rules:
    Displays the Rules table showcasing
    Resources
    ,
    Verbs
    , and
    API Groups
    .
  • Raw JSON:
    Contains JSON data from the roles API exposed by Kubernetes.

Cluster role bindings

This page presents a view of your cluster's role bindings. The table highlights:
  • Name:
    Name of the cluster role binding.
  • Role reference:
    Role reference for that specific cluster role binding.
  • Age:
    Duration since the cluster role binding has been active.
For a deeper understanding of a cluster role binding, select its row or the
View details
option. This will bring up a side panel detailing:
  • Cluster role binding name
    as the panel title and
    Labels
    .
  • Subject:
    Showcases the Subject table with columns such as
    API Group
    ,
    Subject kind
    , and
    Subject name
    .
  • Raw JSON:
    Provides JSON data from the cluster role bindings API exposed by Kubernetes.

Role bindings

This section presents all role bindings for a specific cluster within a selected namespace. The table contains:
  • Name:
    Name of the role binding.
  • Namespace:
    The namespace in which the role bindings reside.
  • Role reference:
    Role reference for the specific role binding.
  • Age:
    The duration since the role binding been has been set.
Select a role binding's row or the
View details
option to view its specifics. A side panel will feature:
  • Role binding name
    as the panel title and
    Labels
    .
  • Subject:
    Details the Subject table columns, including
    API Group
    ,
    Subject kind
    , and
    Subject name
    .
  • Raw JSON:
    Contains JSON data from the role bindings API offered by Kubernetes.

Service Accounts

This page showcases all service accounts for a specific cluster within the chosen namespace. The table shows:
  • Name:
    Service account's name.
  • Age:
    The duration the service account has been active.
Select its row or the
View detail
s  option to examine a service account in detail. A side panel will reveal:
  • Service account name
    as the panel title,
    Labels
    , and
    Annotations
    .
  • Secrets:
    Lists the Secrets table, highlighting the
    Name
    and
    name type
    .
Do you have two minutes for a quick survey?
Take Survey