Manage authorization and access control
Suggest changes
PDFs
Trident protect uses the Kubernetes model of role-based access control (RBAC). By default, Trident protect provides a single system namespace and its associated default service account. If you have an organization with many users or specific security needs, you can use the RBAC features of Trident protect to gain more granular control over access to resources and namespaces.
The cluster administrator always has access to resources in the default trident-protect namespace, and can also access resources in all other namespaces. To control access to resources and applications, you need to create additional namespaces and add resources and applications to those namespaces.
Note that no users can create application data management CRs in the default trident-protect namespace. You need to create application data management CRs in an application namespace (as a best practice, create application data management CRs in the same namespace as their associated application).
|
Only administrators should have access to privileged Trident protect custom resource objects, which include:
As a best practice, use RBAC to restrict access to privileged objects to administrators. |
For more information about how RBAC regulates access to resources and namespaces, refer to the Kubernetes RBAC documentation.
Fore information about service accounts, refer to the Kubernetes service account documentation.
Example: Manage access for two groups of users
For example, an organization has a cluster administrator, a group of engineering users, and a group of marketing users. The cluster administrator would complete the following tasks to create an environment where the engineering group and the marketing group each have access to only the resources assigned to their respective namespaces.
Step 1: Create a namespace to contain resources for each group
Creating a namespace enables you to logically separate resources and better control who has access to those resources.
-
Create a namespace for the engineering group:
kubectl create ns engineering-ns -
Create a namespace for the marketing group:
kubectl create ns marketing-ns
Step 2: Create new service accounts to interact with resources in each namespace
Each new namespace you create comes with a default service account, but you should create a service account for each group of users so that you can further divide privileges between groups in the future if necessary.
-
Create a service account for the engineering group:
apiVersion: v1 kind: ServiceAccount metadata: name: eng-user namespace: engineering-ns -
Create a service account for the marketing group:
apiVersion: v1 kind: ServiceAccount metadata: name: mkt-user namespace: marketing-ns
Step 3: Create a secret for each new service account
A service account secret is used to authenticate with the service account, and can easily be deleted and recreated if compromised.
-
Create a secret for the engineering service account:
apiVersion: v1 kind: Secret metadata: annotations: kubernetes.io/service-account.name: eng-user name: eng-user-secret namespace: engineering-ns type: kubernetes.io/service-account-token -
Create a secret for the marketing service account:
apiVersion: v1 kind: Secret metadata: annotations: kubernetes.io/service-account.name: mkt-user name: mkt-user-secret namespace: marketing-ns type: kubernetes.io/service-account-token
Step 4: Create a RoleBinding object to bind the ClusterRole object to each new service account
A default ClusterRole object is created when you install Trident protect. You can bind this ClusterRole to the service account by creating and applying a RoleBinding object.
-
Bind the ClusterRole to the engineering service account:
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: engineering-ns-tenant-rolebinding namespace: engineering-ns roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: trident-protect-tenant-cluster-role subjects: - kind: ServiceAccount name: eng-user namespace: engineering-ns -
Bind the ClusterRole to the marketing service account:
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: marketing-ns-tenant-rolebinding namespace: marketing-ns roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: trident-protect-tenant-cluster-role subjects: - kind: ServiceAccount name: mkt-user namespace: marketing-ns
Step 5: Test permissions
Test that the permissions are correct.
-
Confirm that engineering users can access engineering resources:
kubectl auth can-i --as=system:serviceaccount:engineering-ns:eng-user get applications.protect.trident.netapp.io -n engineering-ns -
Confirm that engineering users cannot access marketing resources:
kubectl auth can-i --as=system:serviceaccount:engineering-ns:eng-user get applications.protect.trident.netapp.io -n marketing-ns
Step 6: Grant access to AppVault objects
To perform data management tasks such as backups and snapshots, the cluster administrator needs to grant access to AppVault objects to individual users.
-
Create and apply an AppVault and secret combination YAML file that grants a user access to an AppVault. For example, the following CR grants access to an AppVault to the user
eng-user:apiVersion: v1 data: accessKeyID: <ID_value> secretAccessKey: <key_value> kind: Secret metadata: name: appvault-for-eng-user-only-secret namespace: trident-protect type: Opaque --- apiVersion: protect.trident.netapp.io/v1 kind: AppVault metadata: name: appvault-for-eng-user-only namespace: trident-protect # Trident protect system namespace spec: providerConfig: azure: accountName: "" bucketName: "" endpoint: "" gcp: bucketName: "" projectID: "" s3: bucketName: testbucket endpoint: 192.168.0.1:30000 secure: "false" skipCertValidation: "true" providerCredentials: accessKeyID: valueFromSecret: key: accessKeyID name: appvault-for-eng-user-only-secret secretAccessKey: valueFromSecret: key: secretAccessKey name: appvault-for-eng-user-only-secret providerType: GenericS3 -
Create and apply a Role CR to enable cluster administrators to grant access to specific resources in a namespace. For example:
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: eng-user-appvault-reader namespace: trident-protect rules: - apiGroups: - protect.trident.netapp.io resourceNames: - appvault-for-enguser-only resources: - appvaults verbs: - get -
Create and apply a RoleBinding CR to bind the permissions to the user eng-user. For example:
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: eng-user-read-appvault-binding namespace: trident-protect roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: eng-user-appvault-reader subjects: - kind: ServiceAccount name: eng-user namespace: engineering-ns -
Verify that the permissions are correct.
-
Attempt to retrieve AppVault object information for all namespaces:
kubectl get appvaults -n trident-protect --as=system:serviceaccount:engineering-ns:eng-userYou should see output similar to the following:
Error from server (Forbidden): appvaults.protect.trident.netapp.io is forbidden: User "system:serviceaccount:engineering-ns:eng-user" cannot list resource "appvaults" in API group "protect.trident.netapp.io" in the namespace "trident-protect"
-
Test to see if the user can get the AppVault information that they now have permission to access:
kubectl auth can-i --as=system:serviceaccount:engineering-ns:eng-user get appvaults.protect.trident.netapp.io/appvault-for-eng-user-only -n trident-protectYou should see output similar to the following:
yes
-
The users you have granted AppVault permissions to should be able to use authorized AppVault objects for application data management operations, and should not be able to access any resources outside of the assigned namespaces or create new resources that they do not have access to.