Authenticate to Platform9 Managed Kubernetes

Any Keystone user with the admin role in the Keystone tenant foo is authorized to make an namespaced resource request (e.g. create a Deployment) in the Kubernetes namespace foo. This means that user has access to namespace foo within any cluster. Additionally, any Keystone user with the admin role in the Keystone tenant service is authorized to make an namespaced resource request (e.g. create a Deployment) in all Kubernetes namespaces.

Examples

To allow Keystone user bob to create, update, and delete resources only in the namespace dev in the clusters cluster1 and cluster2:

  1. In the UI, create the tenant dev. Select cluster1 and cluster2 from the list of clusters. A dev namespace will be created in each cluster automatically.
  2. Give bob the admin role in the dev tenant.

To allow Keystone user alice access to all namespaces in all clusters:

  1. Give alice the admin role in the service tenant.

Authorization Policy Details

Kubernetes API requests fall into three categories: namespaced resources, non-namespaced resources, and non-resources. Below are the policies enforced for these categories:

Namespaced resources (e.g., pods, services)

All verbs for user with admin role in or service tenant

Non-namespaced resources (e.g., nodes, persistentvolumes)

All verbs for user with admin role in service tenant. Read-only verbs for user with admin role in any other tenant.

Non-resources (e.g., /version, /swaggerapi/*)

Non-resources required for all users to use kubectl or other API clients. All verbs for user with admin role in service tenant.