klum does the following basic tasks:
- Create/Delete/Modify users
- Easily manage roles associated with users
- Issues kubeconfig files for users to use
This is a very simple controller that just create service accounts under the hood. Properly configured this should work on any Kubernetes cluster.
kubectl apply -f https://raw.githubusercontent.com/jadolg/klum/master/deploy.yaml
kind: User
apiVersion: klum.cattle.io/v1alpha1
metadata:
name: darren
kubectl get kubeconfig darren -o json | jq .spec > kubeconfig
kubectl --kubeconfig=kubeconfig get all
The name of the kubeconfig resource will be the same as the user name
kubectl delete user darren
kind: User
apiVersion: klum.cattle.io/v1alpha1
metadata:
name: darren
spec:
clusterRoles:
- view
roles:
- namespace: default
# you can assign cluster roles in a namespace
clusterRole: cluster-admin
- namespace: other
# or assign a role specific to that namespace
role: something-custom
If you don't assign a role a default role will be assigned to the user which is configured on the controller. The default value is cluster-admin, so change that if you want a more secure setup.
kind: User
apiVersion: klum.cattle.io/v1alpha1
metadata:
name: darren
spec:
enabled: false
You might want to use a different context name in the kubeconfig. You can do this
by setting the context
field in the User spec. The cluster name will still be the
context name passed to klum.
kind: User
apiVersion: klum.cattle.io/v1alpha1
metadata:
name: darren
spec:
context: my-context
Klum will by default set the namespace field of the kubeconfig context to
the first namespace it finds in User
's spec.roles[].namespace
field,
or fallback to namespace default
if the user is not assigned to any namespace.
You can override the kubeconfig context's namespace by setting
the contextNamespace
field in the User spec.
kind: User
apiVersion: klum.cattle.io/v1alpha1
metadata:
name: darren
spec:
contextNamespace: my-namespace
In order to upload Kubeconfigs to GitHub you need to start klum with a valid GitHub token --github-token
and add the following sync
settings to your User.
You can create repository scoped secrets and environment scoped secrets if you specify an environment
.
---
kind: User
apiVersion: klum.cattle.io/v1alpha1
metadata:
name: darren
spec:
roles:
- namespace: default
clusterRole: cluster-admin
---
kind: UserSyncGithub
apiVersion: klum.cattle.io/v1alpha1
metadata:
name: darren
spec:
user: darren
github:
owner: jadolg
repository: klum-example
environment: prod
secretName: KUBE_CONFIG
When the user is reenabled a new kubeconfig with new token will be created.
The controller can be configured as follows. You will need to edit the deployment and change then environment variables:
GLOBAL OPTIONS:
--namespace value Namespace to create secrets and SAs in (default: "klum") [$NAMESPACE]
--context-name value Context name to put in Kubeconfigs (default: "default") [$CONTEXT_NAME]
--server value The external server field to put in the Kubeconfigs (default: "https://localhost:6443") [$SERVER_NAME]
--ca value The value of the CA data to put in the Kubeconfig [$CA]
--default-cluster-role value Default cluster-role to assign to users with no roles (default: "cluster-admin") [$DEFAULT_CLUSTER_ROLE]
--github-token value The token used to push kubeconfigs to GitHub if you need this feature [$GITHUB_TOKEN]
--github-url value The GitHub URL if you are using GitHub enterprise [$GITHUB_URL]
--github-app-private-key-file value GitHub private key file if you are using App based authentication [$GITHUB_APP_PRIVATE_KEY_FILE]
--github-app-id value GitHub app id if you are using App based authentication (default: 0) [$GITHUB_APP_ID]
go build
./bin/klum --kubeconfig=${HOME}/.kube/config
Copyright (c) 2020 Rancher Labs, Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.