Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise.
RBAC uses the rbac.authorization.k8s.io API group to drive authorization decisions, allowing admins to dynamically configure policies through the Kubernetes API.
It's recommended to set up RBAC for your Ignite deployments to have fine-grained control of your deployments and to avoid any security-related issues.
It's assumed that you already have a Kubernetes cluster deployed. For instance, the following documentation explains how to spin it up on Microsoft Azure.
Create a unique namespace for your Ignite deployment. In our case the namespace name is
apiVersionv1 kindNamespace metadata nameignite
Run the command below to configure the namespace:
kubectl create -f ignite-namespace.yaml
Use the following configuration for Ignite service account:
apiVersionv1 kindServiceAccount metadata nameignite namespaceignite
Run the command below to create the account:
kubectl create -f ignite-service-account.yaml
Use the following configuration for a role that will be used by Ignite Service that is used for Ignite nodes auto-discovery and as a LoadBalancer for remote applications:
apiVersionrbac.authorization.k8s.io/v1beta1 kindClusterRole metadata nameignite namespaceignite rules apiGroups "" resources# Here are resources you can access pods endpoints verbs# That is what you can do with them get list watch
Note, if you are not going to use Ignite Service as a LoadBalancer for your external applications, then grant him fewer privileges as suggested here.
Run this command to create the role:
kubectl create -f ignite-account-role.yaml
Next, bind this role with your service account and the namespace using the following configuration:
kindClusterRoleBinding apiVersionrbac.authorization.k8s.io/v1beta1 metadata nameignite roleRef kindClusterRole nameignite apiGrouprbac.authorization.k8s.io subjects kindServiceAccount nameignite namespaceignite
Run this command to create the binding:
kubectl create -f ignite-role-binding.yaml
Finally, switch the current namespace to
ignite so that you can see all the resources belonging to it:
kubectl config set-context $(kubectl config current-context) --namespace=ignite
Updated 3 minutes ago