Developers are the target users of Kubernetes. Once a TKG cluster is provisioned, you can grant developer access using vCenter Single Sign-On authentication.
Authentication for Developers
A cluster administrator can grant cluster access to other users, such as developers. Developers can deploy pods to clusters directly using their user accounts, or indirectly using service accounts. For more information, see
Grant Developers SSO Access to Workload Clusters in
Using TKG Service with vSphere IaaS Control Plane.
- For user account authentication, TKG clusters support vCenter Single Sign-On users and groups. The user or group can be local to the vCenter Server, or synchronized from a supported directory server.
- For service account authentication, you can use service tokens. For more information, see the Kubernetes documentation.
Adding Developer Users to a Cluster
To grant cluster access to developers:
- Define a Role or ClusterRole for the user or group and apply it to the cluster. For more information, see the Kubernetes documentation.
- Create a RoleBinding or ClusterRoleBinding for the user or group and apply it to the cluster. See the following example.
Example RoleBinding
To grant access to a
vCenter Single Sign-On user or group, the subject in the RoleBinding must contain either of the following values for the
name
parameter.
Field | Description |
---|---|
sso:USER-NAME@DOMAIN |
For example, a local user name, such as sso:joe@vsphere.local . |
sso:GROUP-NAME@DOMAIN |
For example, a group name from a directory server integrated with the vCenter Server, such as sso:devs@ldap.example.com . |
The following example RoleBinding binds the vCenter Single Sign-On local user named Joe to the default ClusterRole named edit
. This role permits read/write access to most objects in a namespace, in this case the default
namespace.
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rolebinding-cluster-user-joe namespace: default roleRef: kind: ClusterRole name: edit #Default ClusterRole apiGroup: rbac.authorization.k8s.io subjects: - kind: User name: sso:joe@vsphere.local #sso:<username>@<domain> apiGroup: rbac.authorization.k8s.io