Hey everyone! I've mainly worked with GKE, Digital Ocean, and self-hosted Kubernetes clusters where they generate a kubeconfig file that gives admin access. I'm wondering how to manage permissions if I want to allow another user to handle maybe just a single namespace or some specific resources instead of sharing the full admin access. Can I set up a secondary kubeconfig file with restricted permissions? What are some best practices for granting access? I've noticed GCP uses auth plugins and IAM for permission management; how does this work for other setups outside of GCP? I'd appreciate any insights you might have. Thanks!
2 Answers
Totally agree! You can definitely create new Service Accounts (SAs) along with the necessary RBAC roles to manage permissions. Those tokens can then be used for authentication and you can set up a kubeconfig that points to them. If your managed Kubernetes supports OIDC, that's even better, but it doesn't always work with every service.
It's crucial not to share your cluster admin credentials, as you should avoid using them for everyday tasks. Instead, you want to implement external authentication, like OIDC, and set up RBAC for precise access control. This keeps your cluster secure by ensuring users only have the permissions they need.
LOL, right? I was like, what’s with all the jargon? But yeah, it's good advice!