Skip to main content

K8s RBAC Management

Runtime Environment - Permissions Tab

"Want the dev team to only access the dev namespace, and the ops team to only access the prod namespace?" KIWI's RBAC management feature lets you finely control Kubernetes cluster access by team and role.

Why is RBAC Important?

Giving all users full cluster access increases the risk of accidents causing outages. RBAC helps you grant "only the permissions needed to those who need them," improving security and stability.

What is RBAC?

RBAC (Role-Based Access Control) is how Kubernetes defines "who can do what." Think of it like a company's access card system. Just as each employee can only access their department and necessary spaces, RBAC ensures users can only access the resources they need.

KIWI's RBAC Structure

  • KIWI ServiceAccount: A K8s ServiceAccount managed by KIWI. It serves as an identity for accessing resources within the cluster.
  • Namespace Binding: Grants permissions for specific namespaces to a ServiceAccount. Multiple namespaces can be bound to a single SA.
  • User Assignment: Assigns a ServiceAccount to KIWI users. Assigned users access the cluster with the SA's permissions.
  • Permission Inheritance: Users inherit all namespace permissions from their assigned ServiceAccount.

Permission Levels

KIWI supports three permission levels. Grant only the minimum permissions needed.

  • admin: Can manage all resources within the namespace. Suitable for operations teams or administrators.
  • edit: Can create/modify/delete resources but cannot change RBAC settings. Suitable for development teams.
  • view: Read-only access only. Suitable for monitoring or auditing purposes.
Principle of Least Privilege

For security, follow the "principle of least privilege." Granting users only the minimum permissions they need minimizes damage from mistakes or malicious actions.

Prerequisites

  • A Kubernetes cluster must be registered in KIWI
  • Administrator access to the cluster is needed.

Permission Notice: If you cannot access this feature, please request permission from your organization manager.

ServiceAccount Management

Step 1: Navigate to RBAC Management Tab

  1. Click [Runtime Environment] in the left menu
  2. Select the target Kubernetes cluster.
  3. Click the RBAC tab on the cluster detail page

Step 2: Create ServiceAccount

  1. Click the Add ServiceAccount button.
  2. Enter SA information:
    • Name: ServiceAccount name (e.g., developer-sa)
    • Description: SA purpose description (e.g., SA for development team access)
  3. Click the Create button.

The created SA will be created in kube-system or the specified namespace.

Step 3: Add Namespace Binding

Grant specific namespace permissions to the SA.

  1. Click the Add Binding button on the created SA row
  2. Configure binding information:
    • Namespace: Select namespace to grant permissions.
    • Role: Select admin / edit / view
  3. Click the Add button.

Multiple bindings can be configured by repeating for different namespaces.

Step 4: Sync to Cluster

  1. Click the Sync to Cluster button.
  2. KIWI creates the following resources in the K8s cluster:
    • ServiceAccount
    • RoleBinding (for each namespace)
  3. Confirm the sync completion message

Assign SA to Users

Step 1: Navigate to SA Assignment Tab

  1. Go to the User Assignment section in the RBAC tab
  2. Or click the SA Assignment Management button.

Step 2: Select User and Assign SA

  1. Search for the user to assign
  2. Click the Assign SA button on the user row
  3. Select the ServiceAccount to assign
  4. Click the Assign button.

Step 3: Verify Assignment

Once assignment is complete:

  • The user can access namespaces bound to the SA
  • Resources in those namespaces are displayed in the user's KIWI UI

SA Token Generation

Generate tokens for use with external tools or CI/CD.

Step 1: Generate Token

  1. Select the target SA from the SA list
  2. Click the Generate Token button.
  3. Set token options:
    • Expiration Period: Token validity period (e.g., 30 days, 90 days, 1 year)
  4. Click the Generate button.

Step 2: Copy Token

  1. The generated token is displayed.
  2. Copy the token to clipboard using the Copy button.

Note: The token is only displayed once upon generation. Store it in a secure location.

Step 3: Use Token

Example of using kubectl with the generated token:

kubectl --token=<generated-token> --server=<cluster-api-server> get pods -n <namespace>

Check My K8s Permissions

Users can check their assigned K8s permissions.

How to Check

  1. Click the Profile icon in the upper right corner.
  2. Click My K8s Permissions or K8s Access Permissions menu
  3. The assigned SA and accessible namespace list is displayed.

Displayed Information

  • Cluster: Shows the list of accessible K8s clusters. All clusters where you have permissions are listed.
  • ServiceAccount: Shows the ServiceAccount name assigned in each cluster.
  • Namespaces: List of namespaces accessible through the SA. All bound namespaces are listed.
  • Role: Shows the permission level (admin/edit/view) for each namespace.

SA Management Tasks

Modify ServiceAccount

  1. Click the target SA from the SA list
  2. Click the Edit button.
  3. Modify description or bindings.
  4. Click Save, then click Sync to Cluster

Remove Namespace Binding

  1. Check the binding list in SA details.
  2. Click the Delete button next to the binding to remove.
  3. Click Sync to Cluster

Unassign User SA

  1. Find the target user in the user assignment list
  2. Click the Unassign button.
  3. Click Unassign in the confirmation dialog

Delete ServiceAccount

  1. Select the target SA from the SA list
  2. Click the Delete button.
  3. Click Delete in the confirmation dialog
  4. The SA and related RoleBindings are deleted from the K8s cluster.

Caution: Deleting an SA immediately removes access permissions for users using that SA.

Import SA from Cluster

You can import existing ServiceAccounts from the cluster into KIWI.

Step 1: Start Import

  1. Click the Import from Cluster button in the RBAC tab
  2. KIWI queries the cluster's SA list

Step 2: Select SA

  1. Select SAs to import using checkboxes.
  2. Existing RoleBinding information is also displayed.
  3. Click the Import button.

Step 3: Manage in KIWI

Imported SAs are managed in KIWI:

  • Add/remove bindings
  • Assign users
  • Generate tokens

Practical Use Scenarios

Scenario 1: Grant Namespace Access to Development Team

Situation: Grant edit permission for dev namespace to 3 development team members.

Steps:

  1. Create SA: dev-team-sa
  2. Namespace binding: devedit role.
  3. Sync to cluster.
  4. Assign SA to 3 development team users.

Scenario 2: Operations Team Multi-Namespace Management

Situation: Grant management permissions for prod, staging namespaces to operations team

Steps:

  1. Create SA: ops-team-sa
  2. Namespace bindings:
    • prodadmin role.
    • stagingadmin role.
  3. Sync to cluster.
  4. Assign SA to operations team users.

Scenario 3: External Monitoring Tool Integration

Situation: External monitoring tool needs read-only access to the cluster.

Steps:

  1. Create SA: monitoring-readonly-sa
  2. Namespace binding: All namespaces → view role.
  3. Sync to cluster.
  4. Generate SA token
  5. Configure token in monitoring tool

Troubleshooting

SA Sync Failure

  • When permission error occurs: The ServiceAccount used by KIWI lacks permissions to create RBAC resources. Request ClusterRole and RoleBinding creation permissions from the cluster administrator.
  • When namespace not found: The namespace you're trying to bind doesn't exist in the cluster. Create the namespace first and try again.
  • When connection failure occurs: There's a network connection issue with the cluster. Check the cluster connection status on the Runtime Environment page and reconnect if necessary.

User Cannot Access Resources

  • Cause 1: SA not assigned → Check SA assignment.
  • Cause 2: No namespace binding → Add binding.
  • Cause 3: Not synced → Execute sync to cluster.

Token Not Working

  • Expired: Generate new token
  • SA deleted: Check SA status.
  • Network issue: Verify API server accessibility.

Security Recommendations

Security best practices for operating RBAC safely.

Security is an Ongoing Process

RBAC configuration isn't a one-time setup. Review and update it regularly.

  1. Principle of Least Privilege: Grant users only the minimum permissions they need. Don't give extra permissions "just in case."

  2. Regular Review: Review SA assignments and bindings quarterly. Clean up permissions that are no longer needed due to departures or project completions.

  3. Token Management: Delete unused tokens immediately. Token leaks can lead to security incidents.

  4. Audit Log Review: Regularly check RBAC changes. Monitor for any abnormal modifications.

  5. Namespace Separation: Separating namespaces by environment (dev, staging, prod) minimizes the impact of mistakes.