Cloud Services

Container Cluster Management

Cluster access control
Published On Jun 25, 2024 - 8:05 AM

Cluster access control

Manage and monitor your Kubernetes Cluster Effectively with Comprehensive Access Control.
The Container Cluster Management – Cluster Access Control section provides a comprehensive guide to managing and monitoring Kubernetes clusters with robust access control mechanisms. This article covers the core access control components in Kubernetes, including cluster roles, cluster role bindings, and service accounts.
To view the different Access control data, follow these steps to access the data you need to:
  1. Log into Container Cluster Management. To learn more about navigating to the different services from each tenant, refer to Kyndryl ModernOps landing page or Kyndryl Bridge Landing page navigation.
  2. Proceed to the CCM main dashboard. This serves as the central hub for all cluster management activities.
  3. In the dashboard, locate the
    Cluster table
    , positioned towards the bottom of the interface. This table lists all the clusters available under your management.
  4. Identify and choose the desired cluster by selecting it within the
    Cluster table
    . This action will direct you to a detailed view of the selected cluster.
  5. Within the cluster details view, navigate to the
    Access control
    tab. Here, you will find options to view and manage Persistent Volumes, Persistent Volume Claims, and Storage Classes associated with the selected cluster.

Access Control

The Access Control in Kubernetes includes these core sections:
  • Cluster roles:
    • A non-namespaced resource. It's designed with names like Role and ClusterRole because Kubernetes objects are either namespaced or not. Uses:
      1. Set permissions on namespaced resources within individual namespace(s).
      2. Grant permissions on namespaced resources across all namespaces.
      3. Define permissions on cluster-scoped resources.
  • Roles:
    • Always sets permissions within a specified namespace. When creating a Role, the namespace it pertains to must be specified.
  • Cluster role bindings:
    • While a RoleBinding provides permissions within a particular namespace, a ClusterRoleBinding offers that access across the entire cluster.
  • Role bindings:
    • Grants the permissions as defined in a role to specific users or groups. It contains a list of subjects (users, groups, or service accounts) and references the role that is being granted. Grants permissions within a specified namespace.
  • Service accounts:
    • These are Kubernetes resources managed via the Kubernetes API. It is intended for in-cluster entities like Pods to authenticate to the Kubernetes API server or external services.

Cluster roles

On the cluster roles page, you'll find a comprehensive view of all cluster roles for your cluster. The table displays:
  • Name:
    Name of the cluster role.
  • Age:
    How long the cluster role has existed?
To explore more details about a cluster role, select either the entire row or the
View details
option.
This will present the cluster role's details in a side panel which includes:
  • Cluster role name
    as the panel title,
    Labels
    , and
    Annotations
    .
  • Rules:
    Displays the Rules table showcasing
    Resources
    ,
    Verbs
    , and
    API Groups
    .
  • Raw JSON:
    Contains JSON data from the cluster roles API exposed by Kubernetes.

Roles

The roles page overviews all roles for a particular cluster within a selected namespace. The table displays:
  • Name:
    Name of the role.
  • Namespace:
    The namespace within which the roles are created.
  • Age:
    Duration of the role has been set.
To delve into a role's details, select the row or the
View details
option. A side panel will display:
  • Role name
    as the panel title,
    Labels
    , and
    Annotations
    .
  • Rules:
    Displays the Rules table showcasing
    Resources
    ,
    Verbs
    , and
    API Groups
    .
  • Raw JSON:
    Contains JSON data from the roles API exposed by Kubernetes.

Cluster role bindings

This page presents a view of your cluster's role bindings. The table highlights:
  • Name:
    Name of the cluster role binding.
  • Role reference:
    Role reference for that specific cluster role binding.
  • Age:
    Duration of the cluster role binding has been active.
For a deeper understanding of a cluster role binding, select its row or the
View details
option. This will bring up a side panel detailing:
  • Cluster role binding name
    as the panel title and
    Labels
    .
  • Subject:
    Showcases the Subject table with columns such as
    API Group
    ,
    Subject kind
    , and
    Subject name
    .
  • Raw JSON:
    Provides JSON data from the cluster role bindings API exposed by Kubernetes.

Role bindings

This section presents all role bindings for a specific cluster within a selected namespace. The table contains:
  • Name:
    Name of the role binding.
  • Namespace:
    The namespace in which the role bindings reside.
  • Role reference:
    Role reference for the specific role binding.
  • Age:
    How long has role binding been in existence?
Select a role binding's row or the
View details
option to view its specifics. A side panel will feature:
  • Role binding name
    as the panel title and
    Labels
    .
  • Subject:
    Details the Subject table columns, including
    API Group
    ,
    Subject kind
    , and
    Subject name
    .
  • Raw JSON:
    Contains JSON data from the role bindings API offered by Kubernetes.

Service Accounts

This page showcases all service accounts for a specific cluster within the chosen namespace. The table shows:
  • Name:
    Service account's name.
  • Age:
    Duration the service account has been active.
Select its row or the
View detail
s  option to examine a service account in detail. A side panel will reveal:
  • Service account name
    as the panel title,
    Labels
    , and
    Annotations
    .
  • Secrets:
    Lists the Secrets table, highlighting the
    Name
    and
    name type
    .
Do you have two minutes for a quick survey?
Take Survey