Solved
Storage Class User for Karbon
I'm trying to configure a new Kubernetes cluster using Karbon. When I get to the stage of configuring the storage class, I'm prompted for a user name and password. I'm not sure which user I should be entering here, as the few I've tried don't seem to work. The cluster setup tutorial video shows the username `admin`, which seems to suggest using a very highly privileged user, which seems unnecessary to me. How can I create a user with the minimum privileges necessary for the storage class?
Best answer by vshuguet
Hello @wfhartford ,
The long term solution (no dates/times, as all of those things changes) is to bring the Volumes API, which is what the CSI driver uses to provision a PVC, up to Prism Central level, and add RBAC to that.
Until that happen, we're using what is available on PE, which in this case is Cluster Admin.
View originalThe long term solution (no dates/times, as all of those things changes) is to bring the Volumes API, which is what the CSI driver uses to provision a PVC, up to Prism Central level, and add RBAC to that.
Until that happen, we're using what is available on PE, which in this case is Cluster Admin.
73 people like this
- chepakrulazmi
- Gizmoadams
- MendeilB
- mvenator
- ASavage
- bcaballero
- ewong6
- nanski
- kerrim
- akbar1989
- rubarb
- ykhatiri-45242
- joshbooher
- shaunkessey
- benlan51
- GerardoGomez
- Mahdi
- sujithsn
- roberto_ortega
- osegura-68990
- Ateiv
- mcalef
- PercyCruz
- sreenivas4488
- jasonwcc76
- AndersonLeandrine
- Aabdelshaf
- Niwat
- RAJ CHAUHAN
- Wilson Lodestar
- Naing Htun Oo
- VirtuallySteve
- Renz
- Thanh Pham
- LeandroWPaes
- Wittaya
- Silvio Armando
- StevenD
- Surak
- Azeez
- SeanF
- Deepanshu
- Bauke
- Henry Hung
- soechsle
- Edward Feng
- Erwing
- Ndungo
- SifisoMapekula
- Awadh
- JonFraser
- yoboizg
- Erik_D
- Rachit
- KPho
- Paul-Marc
- JasonPollard
- NirmalPatel092
- Gemerson
- jonas.hogman
- Bolaji
- T Mock
- Michael Lim
- KarenHoek
- taina
- Sunail
- Faaris
- Gavkhanna
- Charliegs1
- Kriangkrain
- Domunism
- Yadav sanjay
- MOHD MAQB OOL
This topic has been closed for comments
+5- Nutanix Employee
- 150 replies
You need an user with Cluster Admin role at the Prism Element level. Depending from what PE cluster you will use for storage, you will need an user on it.
So the least privileged possible user for a storage class has complete control over the cluster? That seems like a bit of a security risk to me, are there plans to introduce more granular security controls so that one compromised container can't lead to an attacker taking over the entire cluster?
+4- Nutanix Employee
- 19 replies
- Answer
Hello @wfhartford ,
The long term solution (no dates/times, as all of those things changes) is to bring the Volumes API, which is what the CSI driver uses to provision a PVC, up to Prism Central level, and add RBAC to that.
Until that happen, we're using what is available on PE, which in this case is Cluster Admin.
The long term solution (no dates/times, as all of those things changes) is to bring the Volumes API, which is what the CSI driver uses to provision a PVC, up to Prism Central level, and add RBAC to that.
Until that happen, we're using what is available on PE, which in this case is Cluster Admin.
Product Manager - Karbon Clusters & Kubernetes @ Nutanix
1 person likes this
OK, good to know that there are plans here. I'm new to nutanix, so the various types of users and places that they are administered are a little confusing. It sounds like things are moving in the right direction though.
Thanks
Thanks
+4- Nutanix Employee
- 19 replies
To give you an idea, PE (Prism Element) is our single cluster management plane. It is where we started years ago, but it's also limited in terms of roles/RBAC features.
PC (Prism Central), our multi-cluster management plane, is where we're moving all of our management features and also where all of our new products integrate. It has advanced RBAC capabilities.
The current situation is born because of that transition period of moving functionalities that used to live in PE, up to PC.
PC (Prism Central), our multi-cluster management plane, is where we're moving all of our management features and also where all of our new products integrate. It has advanced RBAC capabilities.
The current situation is born because of that transition period of moving functionalities that used to live in PE, up to PC.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.