Kops: Document RBAC Setup

@shadoi - pinging you on this as well

@chrislovecnm I'd like to share some of the info I've gathered. Some from the web and some from watching PRs/issues.

Interesting links:

• http://stackoverflow.com/questions/41309420/how-to-create-users-groups-restricted-to-namespace-in-kubernetes-using-rbac-api (emphasis on accepted answer)
• https://github.com/uruddarraju/kubernetes-rbac-policies
• https://github.com/kubernetes/kops/issues/1960 (specifically this comment)

Awesome thanks!

The new k8s docs for RBAC are a huge improvement: https://kubernetes-io-vnext-staging.netlify.com/docs/admin/authorization/rbac/

Should point at them once they're live. Targeting 1.6 for docs and examples will make the most sense anyway.

I have a CLI login example if you want to include it (though it's frowned upon by the oauth gods): https://gist.github.com/blakebarnett/44009b7fc7f7f3f81fe9bfb4e1ebcf46

More of an example to use for testing and to expand upon. Our actual login script has a bunch of other integration for our environment.

@chrislovecnm hey thanks for putting this together. I followed the tips in the gist, but I can no longer log on anymore. I assume it has to do with the Kube API config. Is there a specific process to rolling this out well?

> kubectl get nodes  
Unable to connect to the server: net/http: TLS handshake timeout

> kops version
Version 1.5.3
> kubectl version
Client Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.1", GitCommit:"b0b7a323cc5a4a2019b2e9520c21c7830b7f708e", GitTreeState:"clean", BuildDate:"2017-04-03T23:37:30Z", GoVersion:"go1.8", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"4", GitVersion:"v1.4.4", GitCommit:"3b417cc4ccd1b8f38ff9ec96bb50a81ca0ea9d56", GitTreeState:"clean", BuildDate:"2016-10-21T02:42:39Z", GoVersion:"go1.6.3", Compiler:"gc", Platform:"linux/amd64"}

I think you'll need to upgrade your cluster to k8s 1.5.x to get it working properly. Also if you're still getting errors using -v=10 is helpful to see what kubectl is doing.

The major gotcha I found was that the IssuerURL needs to be identical everywhere in all configs/daemon args, etc. Trailing slash may break things, etc.

Anyone done this with 1.6?

Any updates on this?

I think since there are MANY ways to handle RBAC the best we can do is point to the official docs, we already document how to enable it in the cluster spec.

@blakebarnett we probably should have a security best practices document, instead of just an RBAC document. Thoughts?

We are going with RBAC default with the next 1.9 release on new create clusters. So I think that we need to document how to migrate existing created Kops <=1.8.

Now 1.9 is released. Can we document how to enable it in the old clusters after the upgrade?

There is a Kops section Update an already existing cluster switching to RBAC. /cc @pracucci It could be nice if you can open a PR here for contribute the documentation.

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

/close
we'll need to do a refresh on the rbac story when we make a docs push, but this issue relates to some far earlier version of rbac in kops clusters.

@geojaz: Closing this issue.