Authentication for Managed Kubernetes

Platform9 leverages Keystone, an open source component part of the OpenStack project designed to support API client authentication and service discovery. Each Managed Kubernetes deployment comes with a dedicated instance of Keystone. Managed Kubernetes Cluster API servers are configured to delegate every authentication request to Keystone. You can learn more about OpenStack Keystone here.

A user that has a role configured on a tenant can create one or more clusters, and perform all cluster-related operations on that tenant.

Any Keystone user with the Admin role on the Keystone tenant foo is authorized to access, create, update and delete clusters on the tenant foo. The Keystone user has access to every cluster on the tenant foo.

Example

To enable Keystone user bob to access, create, update, and delete clusters on the tenant dev, follow the steps given below.

  1. Log in to the Platform9 Clarity UI as the global administrator.
  2. In the Platform9 Clarity UI, create the tenant dev.
  3. Assign bob the Admin role in the tenant dev.

When bob logs in to the Platform9 Clarity UI, he is logged in to the tenant dev, and he can perform all cluster-related operations on every cluster on the tenant dev.

Note:During the upgrade to version 2.6, existing clusters are associated with the service tenant. Any users of an existing cluster must be assigned the Admin role on the service tenant. You must download the new kubeconfig file for release 2.6 as the previously downloaded kubeconfig file would be invalid.


May 17, 2017