Multi-user MicroK8s

MicroK8s is inherently multi-user capable in the sense that any user added to
the microk8s group can run commands against the cluster.

In some circumstances, it may be desirable to have a degree of user-isolation, e.g. when multiple users are accessing a MicroK8s cluster. MicroK8s is a full implementation of Kubernetes, and therefore any existing strategy for handling multiple users can be applied. There is extensive upstream documentation relating to managing users.

As a guide though, the following steps are recommended.

  1. Enable Role Based Access Control (RBAC):
microk8s enable rbac
  1. If required, create a specific namespace for the user (in this case, ‘alice’) by generating and applying a namespace object such as:

namespace.json:

{
  "apiVersion": "v1",
  "kind": "Namespace",
  "metadata": {
    "name": "alice",
    "labels": {
      "name": "alice"
    }
  }
}
microk8s kubectl apply -f namespace.json
  1. Create and apply a rolebinding

RBAC uses roles to control what aspects of a namespace can be viewed and/or modified. (see upstream rbac documentation)

E.g to access pods:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: alice
  name: alice-pods
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

To bind role this role to the user, run:

kubectl create rolebinding rolebindingname --role alice-pods --user alice
  1. Install kubectl
sudo snap install kubectl

This installs a standalone version of the kubectl command, which can be used
instead of the built-in MicroK8s version of kubectl.

  1. Authenticate the user.

There are different ways of authenticating users for Kubernetes. x509 certificates are recommended. You can read the documentation for supported methods in the upstream documentation

  1. Create a local kubectl config

You can run the command:

microk8s config

…to output the contents of the configuration file used by MicroK8s. This can be used as the basis for a user config file - bear in mind that the user information and the authentication should be matched to the user and the authentication method used.

2 Likes