I'm facing some challenges with my company's IT and security department regarding my Kubernetes administration work. I recently set up a fresh RKE2 cluster using some automation scripts that were developed in-house. After completing the installation, my admin account was stripped of all sudo privileges. Now, I can't even access my kube config file or execute basic kubectl or helm commands from the bastion server. My sysadmin is questioning why I need sudo privileges for these tasks. I think the issue lies in the sudoers configuration for my account. I need some help articulating the reasons I need these privileges to effectively deploy helm charts and manage the cluster.
1 Answer
You actually don’t need root access to the bastion server to manage your Kubernetes cluster. It’s often recommended to create a separate user for your work and then transfer your kube config to your own machine. The bastion should just act as a jump box to expose the cluster API to your local setup. Also, for corporate setups, consider implementing some Identity Provider (IdP) or Pluggable Authentication Module (PAM) solutions for better security instead of relying on elevated privileges. Check out the Kubernetes documentation for more guidance on authentication.
Can you share some examples of IdP and PAM solutions? Are those like service accounts or roles, or does it involve something like Dex?