feat(k8s): iam

Author: bene2k1

menu/navigation.json

@@ -1999,6 +1999,10 @@
                     "label": "Exposing Kubernetes services to the internet",
                     "slug": "exposing-services"
                   },
+                  {
+                    "label": "Setting IAM permissions and implement RBAC on a cluster",
+                    "slug": "set-iam-permissions-and-implement-rbac"
+                  },
                   {
                     "label": "Modifying kernel parameters in a Kubernetes cluster using a DaemonSet",
                     "slug": "modifying-kernel-parameters-kubernetes-cluster"

pages/kubernetes/how-to/manage-kubeconfig-with-iam.mdx

@@ -21,35 +21,40 @@ It allows you to assign roles to users, groups or `ServicesAccount` via `RoleBin
 Key components of RBAC in Kubernetes include:
 
 - **Roles and ClusterRoles:**
-   - **Roles:** These are specific to a namespace and define a set of permissions for resources within that namespace (e.g., pods, services).
-   - **ClusterRoles:** These are similar to roles but apply cluster-wide, spanning across all namespaces.
+   - `Roles`: These are specific to a namespace and define a set of permissions for resources within that namespace (e.g., pods, services).
+   - `ClusterRoles`: These are similar to roles but apply cluster-wide, spanning across all namespaces.
 - **RoleBindings and ClusterRoleBindings:**
-   - **RoleBindings:** These associate a set of permissions defined in a role with a user, group, or service account within a specific namespace.
-   - **ClusterRoleBindings:** These associate a set of permissions defined in a ClusterRole with a user, group, or service account across the entire cluster.
+   - `RoleBindings`: These associate a set of permissions defined in a role with a user, group, or service account within a specific namespace.
+   - `ClusterRoleBindings`: These associate a set of permissions defined in a ClusterRole with a user, group, or service account across the entire cluster.
 - **Subjects:**  A subject in RBAC can be a user, a group, or a service account to which roles or cluster roles are bound.
 - **Rules:** Rules are sets of permissions associated with roles or cluster roles. They specify what actions are allowed or denied on specific resources.
 
-RBAC works seamlessly with Scaleway's IAM (Identity and Access Maanagement) system. Refer to [How to manage Kubeconfig files with IAM](/containers/kubernetes/how-to/manage-kubeconfig-with-iam/) for information how to configure IAM permissions for your users.
+RBAC works seamlessly with Scaleway's IAM (Identity and Access Maanagement) system. [Identity and Access Management (IAM)](/iam/concepts/#iam) provides control over resource access. IAM policies enable the configuration of permissions for Kubernetes Kapsule clusters at the Project level.
+
+An [IAM policy](/iam/concepts/#policy) defines the permissions for users, groups, and applications within an Organization. It consists of a [principal](/iam/concepts/#principal) (the user, group, or application to which it applies) and IAM rules that specify permission sets and their scope.
+
+The combination of IAM and Kubernetes RBAC allows you to define fine-grained access levels for cluster users.
+
 
 ### Mapping IAM permission sets to Kubernetes groups
 
 The following IAM permission sets are mapped to Kubernetes groups:
 
 | IAM Permission Set             | Kubernetes Group            | Notes                    |
 |----------------------------------|-----------------------------|--------------------------|
-| KubernetesFullAccess           | scaleway:cluster-write      |                          |
-|                                | scaleway:cluster-read       |                          |
-| KubernetesReadOnly             | scaleway:cluster-read       |                          |
-| KubernetesSystemMastersGroupAccess | system:masters            | God mode                 |
+| `KubernetesFullAccess`           | `scaleway:cluster-write`      |                          |
+|                                  | `scaleway:cluster-read`       |                          |
+| `KubernetesReadOnly`             | `scaleway:cluster-read`       |                          |
+| `KubernetesSystemMastersGroupAccess` | `system:masters`            | God mode                 |
 
 ### Default ClusterRoleBindings
 
 Default `ClusterRoleBinding` and `ClusterRole` configurations have been set up:
 
 | Group                          | ClusterRoleBinding          | ClusterRole              |
 |----------------------------------|-----------------------------|--------------------------|
-| scaleway:cluster-write         | scaleway:cluster-write      | scaleway:cluster-write   |
-| scaleway:cluster-read          | scaleway:cluster-read       | scaleway:cluster-read    |
+| `scaleway:cluster-write`         | `scaleway:cluster-write`      | `scaleway:cluster-write`   |
+| `scaleway:cluster-read`          | `scaleway:cluster-read`       | `scaleway:cluster-read`    |
 
 These groups can be edited and will not be reconciled by Kapsule/Kosmos. If these roles are misconfigured and cut off access to the cluster, the IAM permission set `KubernetesSystemMastersGroupAccess` should be assigned to the application or user. This permission set allows bypassing the entire RBAC layer.
 
@@ -60,134 +65,134 @@ Users or applications can be added to zero, one, or more IAM groups. IAM groups
 ```bash
 $ kubectl auth whoami
 ATTRIBUTE   VALUE
-Username    scaleway:bearer:dea0a399-af6e-4e8b-b2dd-32c9a26a174b
-UID         dea0a399-af6e-4e8b-b2dd-32c9a26a174b
-Groups      [scaleway:group:d4f154d6-a93c-4bab-a599-5f3803bd5120 scaleway:cluster-read system:authenticated]
+Username    scaleway:bearer:de60e2b8-d590-4770-94bc-93b639382fb5
+UID         de60e2b8-d590-4770-94bc-93b639382fb5
+Groups      [scaleway:group:55eb7ac5-9afe-4e40-8d54-4fbb232cac21 scaleway:cluster-read system:authenticated]
 ```
 
 ## Creating a developers group with write access to dev and staging namespaces
 
-1. Create an IAM developers group:
+1. Create an [IAM group](/iam/how-to/create-group/) called `developers`:
    - Assign the `KubernetesReadOnly` permission set to this group.
    - Note the group ID, as it will be needed later.
 
-2. Create Namespaces and Roles:
-   - As a user/app with `KubernetesFullAccess` or `KubernetesSystemMastersGroupAccess`, create the following manifests:
-
-Namespace Creation:
-
-```yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: dev
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: staging
-```
-
-Role Creation for dev namespace:
-
-```yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: developers
-  namespace: dev
-rules:
-- apiGroups: ["*"]
-  resources: ["*"]
-  verbs: ["*"]
-- nonResourceURLs: ["*"]
-  verbs: ["*"]
-```
-
-RoleBinding Creation for dev namespace:
-
-```yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: developers
-  namespace: dev
-subjects:
-- kind: Group
-  name: scaleway:groups:<GROUP_ID>
-roleRef:
-  kind: Role
-  name: developers
-  apiGroup: rbac.authorization.k8s.io
-```
-
-Repeat the same operation for the staging namespace.
+2. Create namespaces and roles:
+   As a user/app with `KubernetesFullAccess` or `KubernetesSystemMastersGroupAccess`, create the following manifests:
+
+    Namespace creation:
+
+    ```yaml
+    apiVersion: v1
+    kind: Namespace
+    metadata:
+      name: dev
+    ---
+    apiVersion: v1
+    kind: Namespace
+    metadata:
+      name: staging
+    ```
+
+    Role creation for dev namespace:
+
+    ```yaml
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      name: developers
+      namespace: dev
+    rules:
+    - apiGroups: ["*"]
+      resources: ["*"]
+      verbs: ["*"]
+    - nonResourceURLs: ["*"]
+      verbs: ["*"]
+    ```
+
+    RoleBinding Creation for dev namespace:
+
+    ```yaml
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: developers
+      namespace: dev
+    subjects:
+    - kind: Group
+      name: scaleway:groups:<GROUP_ID>
+    roleRef:
+      kind: Role
+      name: developers
+      apiGroup: rbac.authorization.k8s.io
+    ```
+
+    Repeat the same operation for the staging namespace.
 
 3. Apply the Manifests:
 
-```bash
-kubectl apply -f filename.yaml
-```
+  ```bash
+  kubectl apply -f filename.yaml
+  ```
 
 After these steps, members of the IAM group will have read access to the cluster and write access to the `dev` and `staging` namespaces. Permissions can be refined by modifying the `Role`.
 
 ## Assigning permissions to a specific user without using a group
 
-1. **Assign the `KubernetesReadOnly` Permission Set to the User**.
-2. **Retrieve the IAM User ID** and note it.
-3. **Create the Following Manifests**:
-
-Namespace creation:
-
-```yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: demo-sandbox
-```
-
-Role creation for an example namespace:
-
-```yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: example
-  namespace: example-sandbox
-rules:
-- apiGroups: ["*"]
-  resources: ["*"]
-  verbs: ["*"]
-- nonResourceURLs: ["*"]
-  verbs: ["*"]
-```
-
-RoleBinding creation for the example namespace:
-
-```yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: example
-  namespace: example-sandbox
-subjects:
-- kind: User
-  name: scaleway:bearer:<USER_ID>
-roleRef:
-  kind: Role
-  name: demo
-  apiGroup: rbac.authorization.k8s.io
-```
+1. Assign the `KubernetesReadOnly` Permission Set to the User.
+2. Retrieve the **IAM user ID** and note it.
+3. Create the following Manifests:
+
+    Namespace creation:
+
+    ```yaml
+    apiVersion: v1
+    kind: Namespace
+    metadata:
+      name: demo-sandbox
+    ```
+
+    Role creation for an example namespace:
+
+    ```yaml
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      name: example
+      namespace: example-sandbox
+    rules:
+    - apiGroups: ["*"]
+      resources: ["*"]
+      verbs: ["*"]
+    - nonResourceURLs: ["*"]
+      verbs: ["*"]
+    ```
+
+    RoleBinding creation for the example namespace:
+
+    ```yaml
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: example
+      namespace: example-sandbox
+    subjects:
+    - kind: User
+      name: scaleway:bearer:<USER_ID>
+    roleRef:
+      kind: Role
+      name: demo
+      apiGroup: rbac.authorization.k8s.io
+    ```
 
 4. Apply the manifests:
 
-```bash
-kubectl apply -f filename.yaml
-```
+  ```bash
+  kubectl apply -f filename.yaml
+  ```
 
-User "demo" now has full rights in the `example-sandbox` namespace.
+  The user "demo" now has full rights in the `example-sandbox` namespace.
 
-## Limiting `cluster-read` Access
+## Limiting cluster-read Access
 
 To modify the `scaleway:cluster-read` permissions, use the following command: