We are bringing the best of Tectonic to Red Hat OpenShift to build the most secure, hybrid Kubernetes application platform.
Cluster Policies define a set of Namespaces and RBAC rules that exist on all clusters that match the Policy's label query. They provide a quick and consistent means for cluster administrators to configure access to a set of clusters for a new team or application. Policies are stored in a single directory which allows for easy security auditing.
The format of Cluster Policies will likely change as the alpha program progresses. Details about migration steps will be provided as they become necessary.
Create a policy which grants admin access to the cluster for a defined LDAP/SAML group:
kind: ClusterPolicy
apiVersion: multicluster.coreos.com/v1
metadata:
name: ldap-group-admin
spec:
selector:
cloud: aws
authorization:
clusterBindings:
- clusterRole: admin
groups: ["Operations"]
Submit the new policy to the directory cluster, and watch it get synced to the replica. First, be sure to reset kubeconfig to the correct cluster:
export KUBECONFIG=/path/to/kubeconfig
kubectl get nodes
kubectl apply -f sample-policies/ldap-group-admin.yaml
clusterpolicy "ldap-group-admin" created
After a few seconds, a Cluster Role Binding will be created on all matching clusters.
This example creates a set of namespaces and access rules for an engineering team that produces a web API. It does the following:
Example policy to create these namespaces, and grant appropriate access:
kind: ClusterPolicy
apiVersion: multicluster.coreos.com/v1
metadata:
name: web-api
spec:
selector:
cloud: aws
namespaces:
- name: "api-prod"
authorization:
bindings:
- clusterRole: view
users: ["random-user"]
groups: ["SupportTeam"]
- clusterRole: edit
groups: ["APIDevelopers"]
- clusterRole: admin
users: ["joe-team-lead"]
- name: "api-test"
authorization:
bindings:
- clusterRole: admin
groups: ["APIDevelopers"]
Submit it to the directory cluster and watch the namespaces and role bindings get created on matching replica clusters:
kubectl apply -f sample-policies/namespaces-with-binding.yaml
clusterpolicy "web-api" created