Storage Class User for Karbon

  • 26 August 2019
  • 5 replies

I'm trying to configure a new Kubernetes cluster using Karbon. When I get to the stage of configuring the storage class, I'm prompted for a user name and password. I'm not sure which user I should be entering here, as the few I've tried don't seem to work. The cluster setup tutorial video shows the username `admin`, which seems to suggest using a very highly privileged user, which seems unnecessary to me. How can I create a user with the minimum privileges necessary for the storage class?

Best answer by vshuguet 27 August 2019, 18:35

View original

This topic has been closed for comments

5 replies

Userlevel 4
Badge +5
You need an user with Cluster Admin role at the Prism Element level. Depending from what PE cluster you will use for storage, you will need an user on it.
So the least privileged possible user for a storage class has complete control over the cluster? That seems like a bit of a security risk to me, are there plans to introduce more granular security controls so that one compromised container can't lead to an attacker taking over the entire cluster?
Userlevel 1
Badge +4
Hello @wfhartford ,

The long term solution (no dates/times, as all of those things changes) is to bring the Volumes API, which is what the CSI driver uses to provision a PVC, up to Prism Central level, and add RBAC to that.

Until that happen, we're using what is available on PE, which in this case is Cluster Admin.
OK, good to know that there are plans here. I'm new to nutanix, so the various types of users and places that they are administered are a little confusing. It sounds like things are moving in the right direction though.

Userlevel 1
Badge +4
To give you an idea, PE (Prism Element) is our single cluster management plane. It is where we started years ago, but it's also limited in terms of roles/RBAC features.

PC (Prism Central), our multi-cluster management plane, is where we're moving all of our management features and also where all of our new products integrate. It has advanced RBAC capabilities.

The current situation is born because of that transition period of moving functionalities that used to live in PE, up to PC.