NAVER Cloud Platform Kubernetes Service provides IAM authentication through ncp-iam-authenticator.
To use the kubectl command through IAM authentication, you should install ncp-iam-authenticator and edit the kubectl configuration file to use it for authentication.
The initial project was developed by NAVER Cloud Platform Kubernetes Service engineers, and now anyone can contribute to the project.
NAVER Cloud Platform Official Guide provides more detailed and friendly guides.
- Specify version, os and arch you want to use.
export version="1.0.6" # available versions can be found in GitHub Releases. export os="darwin" # darwin, linux, windows export arch="amd64" # amd64, arm64
- Download the
ncp-iam-authenticatorbinary.- macOS, Linux
curl -o ncp-iam-authenticator -L https://github.com/NaverCloudPlatform/ncp-iam-authenticator/releases/download/v${version}/ncp-iam-authenticator_${os}_${arch}
- windows (PowerShell)
curl -o ncp-iam-authenticator -L https://github.com/NaverCloudPlatform/ncp-iam-authenticator/releases/download/v${version}/ncp-iam-authenticator_windows_amd64.exe - (Optional) You can use SHA-256 SUM to check the downloaded binary file.
- Check the sum of SHA-256 of the
ncp-iam-authenticatorbinary file.- macOS, Linux
openssl sha1 -sha256 ncp-iam-authenticator
- windows (PowerShell)
Get-FileHash ncp-iam-authenticator.exe
- macOS, Linux
- Download SHA-256 SUM.
curl -o ncp-iam-authenticator.sha256 -L https://github.com/NaverCloudPlatform/ncp-iam-authenticator/releases/download/v${version}/ncp-iam-authenticator_${version}_SHA256SUMS
- Checks if two values match.
- Check the sum of SHA-256 of the
- Set permission and Path
- macOS, Linux
- Add the execution permission to the binary.
chmod +x ./ncp-iam-authenticator
- Create
$HOME/bin/ncp-iam-authenticator, and add to$PATH.mkdir -p $HOME/bin && cp ./ncp-iam-authenticator $HOME/bin/ncp-iam-authenticator && export PATH=$PATH:$HOME/bin
- Add
PATHto the shell profile.- bash
echo 'export PATH=$PATH:$HOME/bin' >> ~/.bash_profile
- zsh
echo 'export PATH=$PATH:$HOME/bin' >> ~/.zshrc
- bash
- Add the execution permission to the binary.
- windows
- Create a new folder, such as C:\bin.
- Copy the execution file ncp-iam-authenticator.exe to the new folder.
- Edit the user or system PATH environment variable to add the new folder to PATH.
- Close the PowerShell terminal, and open a new terminal to import the new PATH variable.
- macOS, Linux
- Test if the
ncp-iam-authenticatorbinary works normally.ncp-iam-authenticator help
You can create a kubeconfig through ncp-iam-authenticator, or manually create a kubeconfig that uses ncp-iam-authenticator, for IAM cluster authentication in Kubernetes Service.
An API authentication key value must first be set up to use ncp-iam-authenticator.
You can get the API authentication key from [My Page] > [Manage account] > [Manage authentication key]
Set the API key in OS environment variable or configure file. ( OS environment variable takes priority over the configure file.)
- OS environment variable
export NCLOUD_ACCESS_KEY=ACCESSKEYACCESSKEYAC export NCLOUD_SECRET_KEY=SECRETKEYSECRETKEYSECRETKEYSECRETKEYSECR export NCLOUD_API_GW=https://ncloud.apigw.ntruss.com
- The configure file in the user environment home directory's .ncloud folder
$ cat ~/.ncloud/configure [DEFAULT] ncloud_access_key_id = ACCESSKEYACCESSKEYAC ncloud_secret_access_key = SECRETKEYSECRETKEYSECRETKEYSECRETKEYSECR ncloud_api_url = https://ncloud.apigw.ntruss.com [project] ncloud_access_key_id = ACCESSKEYACCESSKEYAC ncloud_secret_access_key = SECRETKEYSECRETKEYSECRETKEYSECRETKEYSECR ncloud_api_url = https://ncloud.apigw.ntruss.com
- Confirm if
ncp-iam-authenticatorhas been installed. - Use the
ncp-iam-authenticator create-kubeconfigcommand to create a kubeconfig for the cluster.ncp-iam-authenticator create-kubeconfig --region <region-code> --clusterUuid <cluster-uuid> > kubeconfig.yaml
- region-code : Cluster Region code ex) KR, SGN
- cluster-uuid: Cluster UUID
- If you specify a profile of the NCLOUD CLI configure file with the
--profileoption, then the profile will be used for authentication when thekubectlcommand is executed.
- Test the
kubectlcommand with thekubeconfigfile created.$ kubectl get namespaces --kubeconfig kubeconfig.yaml NAME STATUS AGE default Active 1h kube-node-lease Active 1h kube-public Active 1h kube-system Active 1h kubernetes-dashboard Active 1h
When you create a Kubernetes Service cluster, the SubAccount account that created the cluster and main account will automatically be included in the system:masters group in the cluster's RBAC configuration. This configuration is not shown in the cluster information or ConfigMap. In order to give permissions to use a cluster to an IAM user, ncp-auth ConfigMap must be registered to the kube-system namespace.
The configuration can be set up after ncp-iam-authenticator has been installed and the kubeconfig is created.
- A
kubectlcredential must already be set up with theIAM user who created the clusterormain account. - Create
ncp-authConfigMap.apiVersion: v1 kind: ConfigMap metadata: name: ncp-auth namespace: kube-system data: mapSubAccounts: | - subAccountIdNo: <iam-user-idno> username: <username> groups: - <groups> - ConfigMap's IAM user parameters are as below.
- subaccountIdNo: ID number of the IAM user to be added, as can be confirmed from the IAM console
- username: username to map on the IAM user within Kubernetes
- groups: list of groups to map users within Kubernetes For more details, refer to Default roles and role bindings.
- Check if the IAM user, or the Kubernetes user or user group with a role mapped, is bound to a Kubernetes role by
RoleBindingorClusterRoleBinding. For more information, refer to Using RBAC Authorization in the Kubernetes documents.
-
Permission to view resources in all namespaces - The group name is
full-access-group, and this needs to be mapped to the IAM user groups fromncp-authConfigMap.$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: full-access-clusterrole rules: - apiGroups: - "" resources: - nodes - namespaces - pods verbs: - get - list - apiGroups: - apps resources: - deployments - daemonsets - statefulsets - replicasets verbs: - get - list - apiGroups: - batch resources: - jobs verbs: - get - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: full-access-binding subjects: - kind: Group name: full-access-group apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: full-access-clusterrole apiGroup: rbac.authorization.k8s.io EOF
-
Permission to view resources for a specific namespace - The namespace set to the file is
default, so please specify the namespace you want and modify the result. The group name isrestricted-access-group, and this needs to be set to IAM user's groups in thencp-authConfigMap.$ cat <<EOF | kubectl --kubeconfig $KUBE_CONFIG apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: restricted-access-clusterrole rules: - apiGroups: - "" resources: - nodes - namespaces verbs: - get - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: restricted-access-clusterrole-binding subjects: - kind: Group name: restricted-access-group apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: restricted-access-clusterrole apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: restricted-access-role rules: - apiGroups: - "" resources: - pods verbs: - get - list - apiGroups: - apps resources: - deployments - daemonsets - statefulsets - replicasets verbs: - get - list - apiGroups: - batch resources: - jobs verbs: - get - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: restricted-access-role-binding namespace: default subjects: - kind: Group name: restricted-access-group apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: restricted-access-role apiGroup: rbac.authorization.k8s.io EOF