Up to: DataONE Cluster Overview
An application needs to be authorized to run on the DataONE Kubernetes (k8s) cluster.
Authorization is based on k8s serviceaccounts.
A few k8s configuration steps are required before an application can be installed and run on the DataONE k8s cluster. The DataONE slinky application will be used as an example of this setup.
The kubectl program is used to perform these configuration steps. The kubectl program can operate in either a privileged admin mode, or in a restricted access mode. The k8s documentation refers to these different modes as configuration contexts.
Operations that involve creating new resources, such as k8s namespaces, and accessing global resources (available to more than one namespace) require an admin context.
The authorization approach that will be used for DataONE applications is to create a unique k8s authorization configuration context for each application that will limit all interactions with k8s to a single namespace that is used by only that application. (Note that multiple applications could use the same namespace if desired, as the authorization context could be used by multiple applications.)
A k8s serviceAccount is used as the subject that is authenticated when kubectl commands are performed by a non-admin user.
The authorization information needed to authorization kubectl requests as the serviceAccount
subject is kept in a kubectl configuration
file that is created by the k8s admin user for each application. The script
configure-k8s-service-account.sh can be used to create the namespace, serviceAccount, and kubectl
configuration file for an application. The syntax is:
$ configure-k8s-service-account application-name cluster-prefixwhere application-name is the intended namespace of the application, and cluster-prefix is
either dev for the dev-k8s cluster or prod for the prod-k8s cluster.
For example, to create the 'slinky' context, the admin user is used to invoke this script as:
configure-k8s-service-account.sh slinky devThis script will add the new context in two places:
- It will be merged with the existing contents of the
~/.kube/config-devfile. This new version ofconfig-devshould be gpg-encrypted and pushed to git. - It will also be saved in a
<application-name>-dev.configfile, which contains only the details for that particular context (e.g.slinky-dev.config). This file is typically not pushed to git, but may be useful for sharing with outside developers who need access only to that context.
Note
The defaults will be applied in the initial creation of the serviceaccount, so this step
will usually not be needed. REMINDER: we need to practise the principle of least privilege
when granting access to resources.
A serviceAccount is initially created with a default set of privileges granted as configured in the
template application-context.yaml file. A k8s role and rolebinding are created to grant access
to the serviceAccount to perform any actions on the namespace created for the application. No
actions on any other resource outside the designated namespace are granted.
If it is necessary to add additional privileges for a service account within a given namespace, you
can update the Role and RoleBinding resources for the service account, adding additional roles
as needed, and updating it with kubectl apply. Please save copies of the yaml file(s) in the
custom-rolebindings directory, and update the custom-rolebindings.md
file with instructions.
Caution
Use this option ONLY if ABSOLUTELY necessary. This is a security risk, and is not recommended for most applications!
If an application needs to access resources at the cluster level, you can create a ClusterRole and
ClusterRoleBinding for the service account. The creation and application of these resources is
similar to those for Role RoleBinding, above. Please save copies of the yaml file(s) in the
custom-rolebindings directory, and update the custom-rolebindings.md
file with instructions.
See the instructions in the Limited Access README file
From the user's perspective, the following initial setup is required upon receiving a copy of the kubectl configuration file:
- Decrypt the file(s), which should have arrived in gpg-encrypted form.
- Create a
~/.kube/directory, move the file(s) into it, andchmod 600them, since they contain sensitive information. - Set up a KUBECONFIG environment variable that contains the path(s) to any of these files in
~/.kube/, by adding something like this to your~/.zshrc(or~/.zshenv) file. For example:# (substitute your own filenames) export KUBECONFIG="$HOME/.kube/config:$HOME/.kube/config-prod:$HOME/.kube/config-dev"