|
| 1 | +# Using SAML and ACLs for fine-grained access control |
| 2 | + |
| 3 | +In this tutorial we will use SAML and ACLs to control fine-grained access to Kubernetes clusters. |
| 4 | + |
| 5 | +Let's assume that at our organization: |
| 6 | + |
| 7 | +- We run a Keycloak instance as the SAML identity provider. |
| 8 | +- Have our Omni instance already configured to use Keycloak as the SAML identity provider. |
| 9 | +- Our Omni instance has 2 types of clusters: |
| 10 | + - Staging clusters with the name prefix `staging-`: `staging-1`, `staging-2`, etc. |
| 11 | + - Production clusters with the name prefix `prod-`: `prod-1`, `prod-2`, etc. |
| 12 | +- We want the users with the SAML role `omni-cluster-admin` to have full access to all clusters. |
| 13 | +- We want the users with the SAML role `omni-cluster-support` to have full access to staging clusters and read-only access to production clusters. |
| 14 | + |
| 15 | +## Sign in as the initial SAML User |
| 16 | + |
| 17 | +If our Omni instance has no users yet, the initial user who signs in via SAML will be automatically assigned to the Omni `Admin` role. |
| 18 | + |
| 19 | +We sign in as the user `[email protected]` and get the Omni `Admin` role. |
| 20 | + |
| 21 | +## Configuring the AccessPolicy |
| 22 | + |
| 23 | +We need to configure the ACL to assign the `omni-cluster-support` role to the users with the SAML role `omni-cluster-support` and |
| 24 | +the `omni-cluster-admin` role to the users with the SAML role `omni-cluster-admin`. |
| 25 | + |
| 26 | +Create the following YAML file `acl.yaml`: |
| 27 | + |
| 28 | +```yaml |
| 29 | +metadata: |
| 30 | + namespace: default |
| 31 | + type: AccessPolicies.omni.sidero.dev |
| 32 | + id: access-policy |
| 33 | +spec: |
| 34 | + usergroups: |
| 35 | + support: |
| 36 | + users: |
| 37 | + - labelselectors: |
| 38 | + - saml.omni.sidero.dev/role/omni-cluster-support= |
| 39 | + admin: |
| 40 | + users: |
| 41 | + - labelselectors: |
| 42 | + - saml.omni.sidero.dev/role/omni-cluster-admin= |
| 43 | + clustergroups: |
| 44 | + staging: |
| 45 | + clusters: |
| 46 | + - match: staging-* |
| 47 | + production: |
| 48 | + clusters: |
| 49 | + - match: prod-* |
| 50 | + all: |
| 51 | + clusters: |
| 52 | + - match: "*" |
| 53 | + rules: |
| 54 | + - users: |
| 55 | + - group/support |
| 56 | + clusters: |
| 57 | + - group/staging |
| 58 | + role: Operator |
| 59 | + - users: |
| 60 | + - group/support |
| 61 | + clusters: |
| 62 | + - group/production |
| 63 | + role: Reader |
| 64 | + kubernetes: |
| 65 | + impersonate: |
| 66 | + groups: |
| 67 | + - read-only |
| 68 | + - users: |
| 69 | + - group/admin |
| 70 | + clusters: |
| 71 | + - group/all |
| 72 | + role: Operator |
| 73 | + tests: |
| 74 | + - name: support engineer has Operator access to staging cluster |
| 75 | + user: |
| 76 | + |
| 77 | + labels: |
| 78 | + saml.omni.sidero.dev/role/omni-cluster-support: "" |
| 79 | + cluster: |
| 80 | + name: staging-1 |
| 81 | + expected: |
| 82 | + role: Operator |
| 83 | + - name: support engineer has Reader access to prod cluster and impersonates read-only group |
| 84 | + user: |
| 85 | + |
| 86 | + labels: |
| 87 | + saml.omni.sidero.dev/role/omni-cluster-support: "" |
| 88 | + cluster: |
| 89 | + name: prod-1 |
| 90 | + expected: |
| 91 | + role: Reader |
| 92 | + kubernetes: |
| 93 | + impersonate: |
| 94 | + groups: |
| 95 | + - read-only |
| 96 | + - name: admin has Operator access to staging cluster |
| 97 | + user: |
| 98 | + |
| 99 | + labels: |
| 100 | + saml.omni.sidero.dev/role/omni-cluster-admin: "" |
| 101 | + cluster: |
| 102 | + name: staging-1 |
| 103 | + expected: |
| 104 | + role: Operator |
| 105 | + - name: admin has Operator access to prod cluster |
| 106 | + user: |
| 107 | + |
| 108 | + labels: |
| 109 | + saml.omni.sidero.dev/role/omni-cluster-admin: "" |
| 110 | + cluster: |
| 111 | + name: prod-1 |
| 112 | + expected: |
| 113 | + role: Operator |
| 114 | +``` |
| 115 | +
|
| 116 | +As the admin user `[email protected]`, apply this ACL using omnictl: |
| 117 | + |
| 118 | +```bash |
| 119 | +$ omnictl apply -f acl.yaml |
| 120 | +``` |
| 121 | + |
| 122 | +## Accessing the Clusters |
| 123 | + |
| 124 | +Now, in an incognito window, log in as a support engineer, `[email protected]`. |
| 125 | +Since the user is not assigned to any Omni role yet, they cannot use Omni Web. |
| 126 | + |
| 127 | +Download `omnictl` and `omniconfig` from the UI, and try to list the clusters by using it: |
| 128 | +```bash |
| 129 | +$ omnictl --omniconfig ./support-omniconfig.yaml get cluster |
| 130 | +NAMESPACE TYPE ID VERSION |
| 131 | +Error: rpc error: code = PermissionDenied desc = failed to validate: 1 error occurred: |
| 132 | + * rpc error: code = PermissionDenied desc = unauthorized: access denied: insufficient role: "None" |
| 133 | +``` |
| 134 | + |
| 135 | +You won't be able to list the clusters because the user is not assigned to any Omni role. |
| 136 | + |
| 137 | +Now try to get the cluster `staging-1`: |
| 138 | +```bash |
| 139 | +$ omnictl --omniconfig ./support-omniconfig.yaml get cluster staging-1 |
| 140 | +NAMESPACE TYPE ID VERSION |
| 141 | +default Cluster staging-1 5 |
| 142 | +``` |
| 143 | + |
| 144 | +You can get the cluster `staging-1` because the ACL allows the user to access the cluster. |
| 145 | + |
| 146 | +Finally, try to delete the cluster `staging-1`: |
| 147 | +```bash |
| 148 | +$ omnictl --omniconfig ./support-omniconfig.yaml delete cluster staging-1 |
| 149 | +torn down Clusters.omni.sidero.dev staging-1 |
| 150 | +destroyed Clusters.omni.sidero.dev staging-1 |
| 151 | +``` |
| 152 | + |
| 153 | +The operation will succeed, because the ACL allows `Operator`-level access to the cluster for the user. |
| 154 | + |
| 155 | +Try to do the same operations with the cluster `prod-1`: |
| 156 | +```bash |
| 157 | +$ omnictl --omniconfig ./support-omniconfig.yaml get cluster prod-1 |
| 158 | +NAMESPACE TYPE ID VERSION |
| 159 | +default Cluster prod-1 5 |
| 160 | +
|
| 161 | +$ omnictl --omniconfig ./support-omniconfig.yaml delete cluster prod-1 |
| 162 | +Error: rpc error: code = PermissionDenied desc = failed to validate: 1 error occurred: |
| 163 | + * rpc error: code = PermissionDenied desc = unauthorized: access denied: insufficient role: "Reader" |
| 164 | +``` |
| 165 | + |
| 166 | +The user will be able to get the cluster but not delete it, because the ACL allows only `Reader`-level access to the cluster for the user. |
| 167 | + |
| 168 | +If you do the same operations as the admin user, you'll notice that you are able to both get and delete staging and production clusters. |
| 169 | + |
| 170 | +## Assigning Omni roles to Users |
| 171 | + |
| 172 | +If you want to allow SAML users to use Omni Web, you need to assign them at least the `Reader` role. |
| 173 | +As the admin, sign in to Omni Web and assign the role `Reader` to both `[email protected]` and `[email protected]`. |
| 174 | + |
| 175 | +Now, as the support engineer, you can sign out & sign in again to Omni Web and see the clusters `staging-1` and `prod-1` in the UI. |
0 commit comments