Skip to content

Authenticate to Kubernetes with Keystone

Authenticate to Kubernetes with Keystone

In some use cases, a kubernetes cluster owner might want to allow access to users outside of the OpenStack project where the cluster lives. For example, user userfoo may need to have write access to the kubernetes namespace namespace-a and not in other namespaces. In another example, the users in the OpenStack project projectbar may need access to the kubernetes namespace namespace-a. The first four sections assume that you are the owner or a member in the project of the cluster.

Enable the webhook for your cluster

To enable this feature you need to have the keystone_auth_enabled label set to true in your cluster template, or set the label when creating a cluster.

$ openstack coe cluster create <name> --cluster-template <cluster-template> \
    --merge-labels \
    --labels keystone_auth_enabled=true

Retrieve the administrator credentials

You can retrive the admin credentials like described in quickstart page. For this tutorial let's store the credentials in the directory $HOME/tutorial-k8s-keystone-auth. The administrator kubeconfig will be stored in $HOME/tutorial-k8s-keystone-auth/config

$ mkdir -p $HOME/tutorial-k8s-keystone-auth
$ cd $HOME/tutorial-k8s-keystone-auth
$ openstack coe cluster config <cluster name> --dir $HOME/tutorial-k8s-keystone-auth

Create rolebindings for users outside the cluster project

In this step, we will create two rolebindings. One for write access for user userfoo and one for read access for group projectbar.

$ export KUBECONFIG="$HOME/tutorial-k8s-keystone-auth/config"
$ kubectl create rolebinding  userfoo-edit-ns-a --clusterrole=edit --user userfoo --namespace=namespace-a
rolebinding.rbac.authorization.k8s.io "userfoo-edit-ns-a" created
$
$ kubectl create rolebinding  projectbar-view-ns-a --clusterrole=view --group projectbar --namespace=namespace-a
rolebinding.rbac.authorization.k8s.io "projectbar-view-ns-a" created

Client configuration

You can create a kubeconfig file which uses tokens created by keystone.. You can share this kubeconfig file safely, since it does not contain credentials. Let's store this file in $HOME/tutorial-keystone-creds/.

openstack coe cluster config <cluster name> --use-keystone --dir $HOME/tutorial-keystone-creds/

Authenticate as user userfoo

To authenticate with kubernetes you need to issue a token and export it as an environmental variable:

$ export OS_TOKEN=$(openstack token issue -c id -f value)
$ export KUBECONFIG="$HOME/tutorial-keystone-creds/config"
$ kubectl get po -n namespace-a
NAME                        READY     STATUS    RESTARTS   AGE
httpd-01-5866c4f8ff-jbdp8   1/1       Running   0          2h
$ kubectl get po -n namespace-b
Error from server (Forbidden): pods is forbidden: User "userfoo" cannot list resource "pods" in API group "" in the namespace "namespace-b"

Similarly a user in projectbar has read access (but not write) to namespace-a but not write access.

$ export OS_TOKEN=$(openstack token issue -c id -f value)
$ export KUBECONFIG="$HOME/tutorial-keystone-creds/config"
$ kubectl get po -n namespace-a
NAME                        READY     STATUS    RESTARTS   AGE
httpd-01-5866c4f8ff-jbdp8   1/1       Running   0          2h
$ kubectl -n namespace-a run  --image nginx ngnix-01
Error from server (Forbidden): deployments.extensions is forbidden: User ""userbar cannot create resource "deployments" in API group "extensions" in the namespace "namespace-a"
$ kubectl get po -n namespace-b
Error from server (Forbidden): pods is forbidden: User "userbar" cannot list resource "pods" in API group "" in the namespace "namespace-b"

Last update: January 6, 2021