feat(k8s): iam and rbac

bene2k1 · bene2k1 · commit 42a226404f85 · 2025-06-02T15:57:59.000+02:00
diff --git a/pages/kubernetes/how-to/manage-kubeconfig-with-iam.mdx b/pages/kubernetes/how-to/manage-kubeconfig-with-iam.mdx
@@ -0,0 +1,60 @@
+---
+meta:
+  title: How to manage Kubeconfig files with IAM
+  description: This page explains how to manage Scaleway Kubeconfig files with IAM
+content:
+  h1: How to manage Kubeconfig files with IAM
+  paragraph: This page explains how to manage Scaleway Kubeconfig files with IAM
+tags: kubernetes kapsule-cluser
+dates:
+  validation: 2025-06-02
+  posted: 2025-06-02
+categories:
+  - kubernetes
+---
+
+A Kubeconfig file serves as a repository for essential credentials required to access a Kubernetes cluster and manage deployments.  
+This file contains critical information, including cluster details, authentication data, and context information, allowing users to oversee and configure their Kubernetes clusters.
+
+Scaleway's Identity and Access Management (IAM) is now being used to generate Kubeconfig files. This integration offers several advantages:
+
+- **Improved user administration:**
+   - When removing a cluster user, there is no longer a need to reset the admin token, mitigating security risks.
+- **Increased cluster security:**
+   - Each user has unique credentials, enhancing security.
+   - Audit logs facilitate the identification of specific Kubernetes users.
+- **Enhanced application security:**
+   - Applications within the cluster are authenticated using specific tokens.
+   - This authentication method is particularly useful when a pod needs to interact with the Kubernetes API, as it can authenticate using its associated [Service Account](https://kubernetes.io/docs/concepts/security/service-accounts/).
+
+[Identity and Access Management (IAM)](/iam/concepts/#iam) provides control over resource access. IAM policies enable the configuration of permissions for Kubernetes Kapsule clusters at the Project level.
+
+An [IAM policy](/iam/concepts/#policy) defines the permissions for users, groups, and applications within an Organization. It consists of a [principal](/iam/concepts/#principal) (the user, group, or application to which it applies) and IAM rules that specify permission sets and their scope.
+
+The [combination of IAM and Kubernetes RBAC (Role-based Acccess Control)](/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) allows you to define fine-grained access levels for cluster users.
+
+<Macro id="iam-requirements" />
+
+<Message type="requirement">
+  - A Scaleway account logged into the [console](https://console.scaleway.com)
+  - [Created](/kubernetes/how-to/create-cluster) a Kubernetes Kapsule cluster
+</Message>
+
+## Setting up access
+
+1. [Create a group](/iam/how-to/create-group/) named `k8s-group` that contains the user and the application, so they are the only ones to have access to your cluster.
+2. [Create an IAM policy](/iam/how-to/create-policy/) named `k8s-policy` in the Scaleway console, with the previously created group as a [principal](/iam/concepts/#principal). Apply the corresponding IAM policy to the group. For example, `KubernetesFullAccess`.
+<Message type="tip">
+  Refer to [Setting IAM permissions and implement RBAC on a cluster](/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) for a detailed overview about the available IAM permissions and how to fine-tune them using Kubernetes RBAC.
+</Message>
+
+## Downloading the Kubeconfig file
+
+1. Click **Kubernetes** in the **Containers** section of the [Scaleway console](https://console.scaleway.com) side menu. The Kubernetes Kapsule overview displays.
+2. Click the name of the cluster you want to access. The cluster overview page displays. Click on the name of the cluster you want to manage.
+3. Scroll down to the **Download kubeconfig with IAM** section of the page.
+4. Click **Download kubeconfig**
+5. Select the API key bearer, enter a description and set the expiration date for the kubeconfig file, then click **Generate kubeconfig**.
+6. Download the kubeconfig file and export the path to start using it with `kubectl`.
+
+You can now manage your cluster using `kubectl`. For more information about this tool, refer to the [official kubectl documentation](https://kubernetes.io/docs/reference/kubectl/).
diff --git a/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx b/pages/kubernetes/reference-content/set-iam-permissions-and-implement-rbac.mdx
@@ -0,0 +1,233 @@
+---
+meta:
+  title: Setting IAM permissions and implement RBAC on a cluster
+  description: This page explains how to set IAM permissions and implement RBAC on a Scaleway Kubernetes cluster
+content:
+  h1: Setting IAM permissions and implement RBAC on a cluster
+  paragraph: This page explains how to set IAM permissions and implement RBAC on a Scaleway Kubernetes cluster
+tags: kubernetes kapsule-cluser
+dates:
+  validation: 2025-06-02
+  posted: 2025-06-02
+categories:
+  - kubernetes
+---
+
+Role-based access control (RBAC) is a native feature of Kubernetes and a method of regulating access to compute or network resources based on the roles of individual users within your Organization.
+The feature is activated on Scaleway Kubernetes Kapsule and Kosmos by default and is compatible with Scaleway's IAM service.
+IAM and RBAC work together by integrating Scaleway’s Identity and Access Management with Kubernetes' native RBAC system. This integration ensures that access permissions are consistent across both the cloud infrastructure and the Kubernetes cluster, providing a secure access control mechanism.
+It allows you to assign roles to users, groups or `ServicesAccount` via `RoleBindings` and `ClusterRoleBindings`.
+
+Key components of RBAC in Kubernetes include:
+
+- **Roles and ClusterRoles:**
+   - **Roles:** These are specific to a namespace and define a set of permissions for resources within that namespace (e.g., pods, services).
+   - **ClusterRoles:** These are similar to roles but apply cluster-wide, spanning across all namespaces.
+- **RoleBindings and ClusterRoleBindings:**
+   - **RoleBindings:** These associate a set of permissions defined in a role with a user, group, or service account within a specific namespace.
+   - **ClusterRoleBindings:** These associate a set of permissions defined in a ClusterRole with a user, group, or service account across the entire cluster.
+- **Subjects:**  A subject in RBAC can be a user, a group, or a service account to which roles or cluster roles are bound.
+- **Rules:** Rules are sets of permissions associated with roles or cluster roles. They specify what actions are allowed or denied on specific resources.
+
+RBAC works seamlessly with Scaleway's IAM (Identity and Access Maanagement) system. Refer to [How to manage Kubeconfig files with IAM](/containers/kubernetes/how-to/manage-kubeconfig-with-iam/) for information how to configure IAM permissions for your users.
+
+### Mapping IAM permission sets to Kubernetes groups
+
+The following IAM permission sets are mapped to Kubernetes groups:
+
+| IAM Permission Set             | Kubernetes Group            | Notes                    |
+|----------------------------------|-----------------------------|--------------------------|
+| KubernetesFullAccess           | scaleway:cluster-write      |                          |
+|                                | scaleway:cluster-read       |                          |
+| KubernetesReadOnly             | scaleway:cluster-read       |                          |
+| KubernetesSystemMastersGroupAccess | system:masters            | God mode                 |
+
+### Default ClusterRoleBindings
+
+Default `ClusterRoleBinding` and `ClusterRole` configurations have been set up:
+
+| Group                          | ClusterRoleBinding          | ClusterRole              |
+|----------------------------------|-----------------------------|--------------------------|
+| scaleway:cluster-write         | scaleway:cluster-write      | scaleway:cluster-write   |
+| scaleway:cluster-read          | scaleway:cluster-read       | scaleway:cluster-read    |
+
+These groups can be edited and will not be reconciled by Kapsule/Kosmos. If these roles are misconfigured and cut off access to the cluster, the IAM permission set `KubernetesSystemMastersGroupAccess` should be assigned to the application or user. This permission set allows bypassing the entire RBAC layer.
+
+Users or applications can be added to zero, one, or more IAM groups. IAM groups are mapped to Kubernetes groups in the format `scaleway:groups:GROUPID`.
+
+**Example:**
+
+```bash
+$ kubectl auth whoami
+ATTRIBUTE   VALUE
+Username    scaleway:bearer:dea0a399-af6e-4e8b-b2dd-32c9a26a174b
+UID         dea0a399-af6e-4e8b-b2dd-32c9a26a174b
+Groups      [scaleway:group:d4f154d6-a93c-4bab-a599-5f3803bd5120 scaleway:cluster-read system:authenticated]
+```
+
+## Creating a developers group with write access to dev and staging namespaces
+
+1. Create an IAM developers group:
+   - Assign the `KubernetesReadOnly` permission set to this group.
+   - Note the group ID, as it will be needed later.
+
+2. Create Namespaces and Roles:
+   - As a user/app with `KubernetesFullAccess` or `KubernetesSystemMastersGroupAccess`, create the following manifests:
+
+Namespace Creation:
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dev
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: staging
+```
+
+Role Creation for dev namespace:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: developers
+  namespace: dev
+rules:
+- apiGroups: ["*"]
+  resources: ["*"]
+  verbs: ["*"]
+- nonResourceURLs: ["*"]
+  verbs: ["*"]
+```
+
+RoleBinding Creation for dev namespace:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: developers
+  namespace: dev
+subjects:
+- kind: Group
+  name: scaleway:groups:<GROUP_ID>
+roleRef:
+  kind: Role
+  name: developers
+  apiGroup: rbac.authorization.k8s.io
+```
+
+Repeat the same operation for the staging namespace.
+
+3. Apply the Manifests:
+
+```bash
+kubectl apply -f filename.yaml
+```
+
+After these steps, members of the IAM group will have read access to the cluster and write access to the `dev` and `staging` namespaces. Permissions can be refined by modifying the `Role`.
+
+## Assigning permissions to a specific user without using a group
+
+1. **Assign the `KubernetesReadOnly` Permission Set to the User**.
+2. **Retrieve the IAM User ID** and note it.
+3. **Create the Following Manifests**:
+
+Namespace creation:
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: demo-sandbox
+```
+
+Role creation for an example namespace:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: example
+  namespace: example-sandbox
+rules:
+- apiGroups: ["*"]
+  resources: ["*"]
+  verbs: ["*"]
+- nonResourceURLs: ["*"]
+  verbs: ["*"]
+```
+
+RoleBinding creation for the example namespace:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: example
+  namespace: example-sandbox
+subjects:
+- kind: User
+  name: scaleway:bearer:<USER_ID>
+roleRef:
+  kind: Role
+  name: demo
+  apiGroup: rbac.authorization.k8s.io
+```
+
+4. Apply the manifests:
+
+```bash
+kubectl apply -f filename.yaml
+```
+
+User "demo" now has full rights in the `example-sandbox` namespace.
+
+## Limiting `cluster-read` Access
+
+To modify the `scaleway:cluster-read` permissions, use the following command:
+
+```bash
+kubectl edit clusterrole scaleway:cluster-read
+```
+
+Default content:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: scaleway:cluster-read
+rules:
+- verbs: ["get", "list", "watch"]
+  apiGroups: [""]
+  resources: ["bindings", "configmaps", "endpoints", "events", "limitranges", "namespaces", "namespaces/status", "nodes", "persistentvolumeclaims", "persistentvolumeclaims/status", "pods", "pods/log", "pods/status", "replicationcontrollers", "replicationcontrollers/scale", "replicationcontrollers/status", "resourcequotas", "resourcequotas/status", "serviceaccounts", "services", "services/status"]
+- verbs: ["get", "list", "watch"]
+  apiGroups: ["metrics.k8s.io"]
+  resources: ["pods", "nodes"]
+- verbs: ["get", "list", "watch"]
+  apiGroups: ["apps"]
+  resources: ["controllerrevisions", "daemonsets", "daemonsets/status", "deployments", "deployments/scale", "deployments/status", "replicasets", "replicasets/scale", "replicasets/status", "statefulsets", "statefulsets/scale", "statefulsets/status"]
+- verbs: ["get", "list", "watch"]
+  apiGroups: ["autoscaling"]
+  resources: ["horizontalpodautoscalers", "horizontalpodautoscalers/status"]
+- verbs: ["get", "list", "watch"]
+  apiGroups: ["batch"]
+  resources: ["cronjobs", "cronjobs/status", "jobs", "jobs/status"]
+- verbs: ["get", "list", "watch"]
+  apiGroups: ["extensions"]
+  resources: ["daemonsets", "daemonsets/status", "deployments", "deployments/scale", "deployments/status", "ingresses", "ingresses/status", "networkpolicies", "replicasets", "replicasets/scale", "replicasets/status", "replicationcontrollers/scale"]
+- verbs: ["get", "list", "watch"]
+  apiGroups: ["policy"]
+  resources: ["poddisruptionbudgets", "poddisruptionbudgets/status"]
+- verbs: ["get", "list", "watch"]
+  apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses", "ingresses/status", "networkpolicies"]
+- verbs: ["get", "list", "watch"]
+  apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["rolebindings", "roles"]
+```
