As new services are added to k8s, they can be administered by appropriate Linux usernames. For example, currently on the dev k8s cluster, the bookkeeper service is started, stopped and upgraded from the Linux 'bookkeeper' username.
This username can be restricted to one k8s namespace, so that only k8s resources (pods, services) can be created and viewed in that namespace and no other.
To enable this, for each username needed:
create a k8s service account for the username
create the appropriate namespace
create the k8s role and rolebinding YAML files that restricts the username
create the k8s config file that enables permissions (e.g. ~/.kube/config)
Detailed instructions with template YAML and config files will be added to this repo.
gothub
commented
2 years ago
As new services are added to k8s, they can be administered by appropriate Linux usernames. For example, currently on the dev k8s cluster, the bookkeeper service is started, stopped and upgraded from the Linux 'bookkeeper' username.
This username can be restricted to one k8s namespace, so that only k8s resources (pods, services) can be created and viewed in that namespace and no other.
To enable this, for each username needed:
Detailed instructions with template YAML and config files will be added to this repo.