Blog

Securing Access to Kubernetes with Rancher

November 1, 2021
Rancher
,
Kubernetes
,
Security
,
Authentication
,
DevOps
,
Sergio Rua

The built-in ones are good for most use cases. They are pretty granular covering access to Rancher itself down to individual projects or namespaces. From here you can create your own with stricter permissions if you need.

The roles are then applied to Projects which is something native to Rancher. A Project is, in essence, a group of namespaces.
In terms of hierarchy:

  • Clusters contain projects
  • Projects contain namespaces

You can use projects to perform actions such as:

  • Assign users to a group of namespaces (i.e., project membership).
  • Assign users specific roles in a project. A role can be owner, member, read-only, or custom.
  • Assign resources to the project.
  • Assign Pod Security Policies.

As you can see, you can get pretty granular when configuring access.

I don’t like using a Web UI

I hear you saying? No trouble. You can also use the command line with Rancher as well, and there is a shell within Rancher you can use for quick jobs:

You can also download a kubeconfig from Rancher which will be configured with your user permissions only.

Another alternative is the Rancher CLI command. This can be especially handy if you manage multiple clusters and want a way to switch between them.

Once you have created your API key, you can log in:

$ rancher login https://<SERVER_URL> --token <BEARER_TOKEN>

If you have multiple clusters, switch between them with:

$ rancher context switch
NUMBER    CLUSTER NAME   PROJECT ID              PROJECT NAME   
1         cluster-2      c-7q96s:p-h4tmb         project-2      
2         cluster-2      c-7q96s:project-j6z6d   Default        
3         cluster-1      c-lchzv:p-xbpdt         project-1      
4         cluster-1      c-lchzv:project-s2mch   Default       
Select a Project:

Now you should be able to run any kubectl command using:

$ rancher kubectl cluster-info

Conclusion

Hacking is not all about teens wearing hoodies in dark rooms full of leftover pizza trying to break into your company. A good portion of the hacking attempts (up to 60% according to some reports) comes from inside organizations.

Remember to apply the least privilege access principle, secure access to the managed Kubernetes portal, use two-factor authentication when possible and apply RBAC, either with Rancher or by creating custom kubeconfig files per user or group of users.

Originally published at https://digitalis.io on November 1, 2021.

Subscribe to newsletter

Subscribe to receive the latest blog posts to your inbox every week.

By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Read More

View all
Category one
Category two
Category three
Category four
Category

How to run Kubernetes on premises for beginners

It is easier than you thought
Read more
Category

Future-Proof Your Cloud: Considering European Options Beyond the Hyperscalers

Make Europe Great Again
Read more
Category

Collecting metrics, traces and logs

Simplicity is better
Read more

Ready to Transform 

Your Business?

Let’s Talk