Multi-user MicroK8s
MicroK8s is inherently multi-user capable in the sense that any user added to
the microk8s
group can run commands against the cluster.
In some circumstances, it may be desirable to have a degree of user-isolation, e.g. when multiple users are accessing a MicroK8s cluster. MicroK8s is a full implementation of Kubernetes, and therefore any existing strategy for handling multiple users can be applied. There is extensive upstream documentation relating to managing users.
As a guide though, the following steps are recommended.
- Enable Role Based Access Control (RBAC):
microk8s enable rbac
- If required, create a specific namespace for the user (in this case, ‘alice’) by generating and applying a namespace object such as:
namespace.json:
{
"apiVersion": "v1",
"kind": "Namespace",
"metadata": {
"name": "alice",
"labels": {
"name": "alice"
}
}
}
microk8s kubectl apply -f namespace.json
- Create and apply a rolebinding
RBAC uses roles to control what aspects of a namespace can be viewed and/or modified. (see upstream rbac documentation)
E.g to access pods:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: alice
name: alice-pods
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
To bind role this role to the user, run:
kubectl create rolebinding rolebindingname --role alice-pods --user alice
- Install
kubectl
sudo snap install kubectl
This installs a standalone version of the kubectl
command, which can be used
instead of the built-in MicroK8s version of kubectl.
- Authenticate the user.
There are different ways of authenticating users for Kubernetes. x509 certificates are recommended. You can read the documentation for supported methods in the upstream documentation
- Create a local kubectl config
You can run the command:
microk8s config
…to output the contents of the configuration file used by MicroK8s. This can be used as the basis for a user config file - bear in mind that the user information and the authentication should be matched to the user and the authentication method used.
Last updated 8 months ago. Help improve this document in the forum.