Cluster Policies define a set of Namespaces and RBAC rules that exist on all clusters that match the Policy's label query. They provide a quick and consistent means for cluster administrators to configure access to a set of clusters for a new team or application. Policies are stored in a single directory which allows for easy security auditing.
The format of Cluster Policies will likely change as the alpha program progresses. Details about migration steps will be provided as they become necessary.
Create a policy which grants admin access to the cluster for a defined LDAP/SAML group:
kind: ClusterPolicy apiVersion: multicluster.coreos.com/v1 metadata: name: ldap-group-admin spec: selector: cloud: aws authorization: clusterBindings: - clusterRole: admin groups: ["Operations"]
Submit the new policy to the directory cluster, and watch it get synced to the replica. First, be sure to reset kubeconfig to the correct cluster:
export KUBECONFIG=/path/to/kubeconfig kubectl get nodes kubectl apply -f sample-policies/ldap-group-admin.yaml clusterpolicy "ldap-group-admin" created
After a few seconds, a Cluster Role Binding will be created on all matching clusters.
This example creates a set of namespaces and access rules for an engineering team that produces a web API. It does the following:
Example policy to create these namespaces, and grant appropriate access:
kind: ClusterPolicy apiVersion: multicluster.coreos.com/v1 metadata: name: web-api spec: selector: cloud: aws namespaces: - name: "api-prod" authorization: bindings: - clusterRole: view users: ["random-user"] groups: ["SupportTeam"] - clusterRole: edit groups: ["APIDevelopers"] - clusterRole: admin users: ["joe-team-lead"] - name: "api-test" authorization: bindings: - clusterRole: admin groups: ["APIDevelopers"]
Submit it to the directory cluster and watch the namespaces and role bindings get created on matching replica clusters:
kubectl apply -f sample-policies/namespaces-with-binding.yaml clusterpolicy "web-api" created