How to Set Up Limited Access for Kubernetes Users?

By
Keven Krok
-
0
0
Asked By CuriousCoder1987 On

I've mainly worked with GKE, Digital Ocean, and some self-hosted Kubernetes clusters, which automatically generate a kubeconfig file that's ready to use. Now, I want to know how to allow another user to manage just one namespace or specific resources within my cluster without giving them full admin access. I know the default kubeconfig has all admin permissions, and sharing it is not a good idea. Can I create a secondary kubeconfig file for that user with restricted permissions? Is there another method to grant limited access to the cluster? I'm aware that GCP manages permissions using authentication plugins and IAM, but how does this work in other environments? Looking forward to your insights! Thanks!

4 Answers

Answered By HelpfulResourceFinder On

I found this article that might help you out! It walks through how to create a kubeconfig file, add users, and assign roles with multiple configurations. Check it out [here](https://medium.com/@abidalicu/how-to-create-a-kubeconfig-file-add-users-and-assign-roles-multiple-kubeconfig-files-in-07c8014cacfb).

Answered By KubeMaster92 On

You really shouldn't share your admin kubeconfig for everyday tasks. Instead, set up external authentication, like OIDC, and configure RBAC (Role-Based Access Control) for granular access. That way, you can control what specific namespaces or resources the user can access without exposing too much power.

Answered By DevOpsDude44 On

Absolutely! Create new service accounts (SA) with RBAC rules specifically tailored to what the user needs to do. They can then use their token for authentication and form a kubeconfig from that. Using OIDC is ideal since it's secure, but keep in mind that not all managed Kubernetes services support it.

Answered By K8S_Ninja22 On

Just echoing the advice: definitely avoid using the cluster admin for day-to-day operations. It's more of a backup for emergencies. I'd recommend using service account tokens with limited permissions. Also, implementing a GitOps approach could work well—let a tool like ArgoCD handle deployment with the admin account instead.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.