Question

In Karbon are all users the same user?

  • 23 April 2021
  • 0 replies
  • 39 views

Badge

When I get a kubeconfig file from Karbon, the user is always default-user-MyClusterNameHere in the kubeconfig file.

I am trying to setup RBAC permissions for various users as indicated on your post here: https://next.nutanix.com/community-blog-154/providing-rbac-for-your-karbon-kubernetes-clusters-33132

But the user is always the same user (default-user-MyClusterNameHere).  

How can I get a user logged in as the actual user that they are?

And more, how can I get the groups that my users are in so I do not have to assign permissions to specific users? (We use Active Directory.)

Update

After a fair amount of searching, I have found that I can enable OIDC support in a Kubernetes cluster. It looks like I will have to do the following:

  1. Setup an OIDC server and make an application in there and note its ClientID and Client Secret
  2. Log into the Master Kubernetes nodes and update the file found at /var/nutanix/etc/kubernetes/manifests/kube-apiserver.yaml with the following changes under the - kube-apiserver section:
    1. Add --oidc-issuer-url=https://myodicserver.mydomain.com
    2. Add --oidc-username-claim=sub
    3. Add --oidc-client-id=MyClientIdHere

Once I do that I should be able to use that OIDC server to authenticate users.  And if the ODIC is integrated with my Active Directory, then I should have access to the groups in my Active Directory as well.

This seems like a lot of work.  Before I jump in on this path, I would love some confirmation that this is the expected path for Karbon customers to take to be able to have user based RBAC.


0 replies

Be the first to reply!

Reply