DO Kubernetes: How to authorize a user or revoke/reset certificate

April 23, 2019 820 views
Kubernetes Security

I would like to know how we can grant additional user access to the Kubernetes cluster. Currently the kubeconfig you can download works well with kubectl. It is also good that it’s only 7 days valid. This prevents people from using the config where they should actually use a Kubernetes Service account.

However, I’d like to know if it’s possible to create additional kubectl users, or if it’s possible to force-reset the kubeconfig credentials generated by DigitalOcean. This way, we can securely and safely remove people from our team, knowing they will not have access to the Kubernetes cluster anymore.

3 Answers

Hi there,

We currently don’t have a great story around authentication to a DOKS cluster at the moment. There is currently no way to revoke a user access. As you mentioned, this isn’t exactly what service accounts are meant to/should be used for. This issue has been raised to engineering and is on their backlog for review.

Regards,

John Kwiatkoski
Senior Developer Support Engineer

  • Thank you John. Clear that there is currently no way to directly revoke access to the cluster for colleagues leaving a team. I think from a security standpoint it is quite important to have for a lot of teams. Even if it would only be to force “reset” the current active certificate.

Greetings!

If someone else has a more complete answer I welcome it, but I wanted to do my best to offer one. I asked one of our team members and fellow Kubernetes experts about this, and they told me that this should function for your use case:

https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Jarland

  • Thank you for getting back Jarland. I think RBAC is only meant for adding service accounts (for example from external services or CI) and to grant certain permissions to Users in the cluster.

    However, there is currently no way to manage multi-user access as everyone logs in with the same certificate generated by your management software.

    I did read that you as DigitalOcean are going to integrate more DigitalOean Team functionality into cluster administration. Perhaps this will be the solution.

    However, at this point it is a security risk that someone who is offboarded from being a cluster admin, cannot be revoked access to it.

  • As the previous replies indicate, rbac can only be used to give users, groups and service accounts permissions in the cluster. Due to the fact, that every user that signs up to a digital ocean cluster has root (the same identity), this rbac stuff is not working here. Kubernetes allows generating users and can be configured to use something like OpenID Connect grant users access. From what I see, this is currently not available and so every user has cluster admin, which can be very ugly, because he can change every security setting.

I am also looking for a solution to this.

A cluster admin is able to create new users by generating CertificateSigningRequest and using kubectl to aprove/deny the certificate, the problem is that once the CSR is approved we no longer have any way to remove this user from the cluster or to update the certificates. This doesn’t seem a good approach.

ServiceAccount are also not mean for this goal.

I don’t see how RBAC is resolving this problem, maybe would be good to create a tutorial for this, I see several people looking for the same.

@jarland is there a way to clarify this?

Have another answer? Share your knowledge.