Restrict who can issue kubectl command

Hi. We’re trying to setup Atlassian Bamboo CI/CD pipeline and we haven’t gone fully automatic yet. So deploying to the production environment is still restricted to certain people with permission. To achieve that we have put an IP restriction, so any calls that come from hosts that are not in the access list are rejected. That means we need to have one separate Bamboo host (or slave) just to be able to control production deployment. Is there a way to secure the kubectl command with some authentication parameters, without which the command won’t pass through?

Cluster information:

Kubernetes version:1.12.2

Cloud being used: bare-metal

Installation method: from scratch

Host OS: Redhat 7

CNI and version: Weave ; version 2.5

CRI and version: docker; version : 18.03.1

Yes. Check on the kubernetes website the authz and authn documents.

We are using dex+gangway (two open source projects, but there are of course many others) for authentication and kubernetes rbac rules for authorization. It may sound complicated, but once you have all the concepts in your mind it will seem simple :slight_smile:

Don’t hesitate to ask if you have any issues!

1 Like