mirror of
https://github.com/siderolabs/talos.git
synced 2025-10-03 19:51:16 +02:00
docs: add guide for RBAC
Document how to enable RBAC without screwing up. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
This commit is contained in:
parent
f5721050de
commit
915cd8fe20
@ -37,7 +37,7 @@ cluster:
|
|||||||
|
|
||||||
If you choose not to use `extraManifests` to install Kubelet Serving Certificate Approver and metrics-server during bootstrap, you can install them once the cluster is online using `kubectl`:
|
If you choose not to use `extraManifests` to install Kubelet Serving Certificate Approver and metrics-server during bootstrap, you can install them once the cluster is online using `kubectl`:
|
||||||
|
|
||||||
```shell
|
```sh
|
||||||
kubectl apply -f https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
|
kubectl apply -f https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
|
||||||
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
|
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
|
||||||
```
|
```
|
||||||
|
@ -15,7 +15,7 @@ When used as a base image, the installer will perform the above steps automatica
|
|||||||
|
|
||||||
Build and push your own kernel:
|
Build and push your own kernel:
|
||||||
|
|
||||||
```shell
|
```sh
|
||||||
git clone https://github.com/talos-systems/pkgs.git
|
git clone https://github.com/talos-systems/pkgs.git
|
||||||
cd pkgs
|
cd pkgs
|
||||||
make kernel-menuconfig USERNAME=_your_github_user_name_
|
make kernel-menuconfig USERNAME=_your_github_user_name_
|
||||||
|
@ -37,7 +37,7 @@ cluster:
|
|||||||
|
|
||||||
If you choose not to use `extraManifests` to install Kubelet Serving Certificate Approver and metrics-server during bootstrap, you can install them once the cluster is online using `kubectl`:
|
If you choose not to use `extraManifests` to install Kubelet Serving Certificate Approver and metrics-server during bootstrap, you can install them once the cluster is online using `kubectl`:
|
||||||
|
|
||||||
```shell
|
```sh
|
||||||
kubectl apply -f https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
|
kubectl apply -f https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
|
||||||
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
|
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
|
||||||
```
|
```
|
||||||
|
50
website/content/docs/v0.11/Guides/rbac.md
Normal file
50
website/content/docs/v0.11/Guides/rbac.md
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
---
|
||||||
|
title: Role-based access control (RBAC)
|
||||||
|
---
|
||||||
|
|
||||||
|
Talos v0.11 introduced initial support for role-based access control (RBAC).
|
||||||
|
This guide will explain what that is and how to enable it without losing access to the cluster.
|
||||||
|
|
||||||
|
## RBAC in Talos
|
||||||
|
|
||||||
|
Talos uses certificates to authorize users.
|
||||||
|
The certificate subject's organization field is used to encode user roles.
|
||||||
|
There is a set of predefined roles that allow access to different [API methods](../../reference/api/):
|
||||||
|
|
||||||
|
* `os:admin` grants access to all methods;
|
||||||
|
* `os:reader` grants access to "safe" methods (for example, that includes the ability to list files, but does not include the ability to read files content);
|
||||||
|
* `os:etcd:backup` grants access to [`/machine.MachineService/EtcdSnapshot`](../../reference/api/#machine.EtcdSnapshotRequest) method.
|
||||||
|
|
||||||
|
Roles in the current `talosconfig` can be checked with the following command (using [`yq` v4](https://github.com/mikefarah/yq)):
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ yq eval '.contexts[.context].crt' talosconfig | base64 -d | openssl x509 -noout -text
|
||||||
|
|
||||||
|
Certificate:
|
||||||
|
Data:
|
||||||
|
[...]
|
||||||
|
Subject: O = os:reader
|
||||||
|
[...]
|
||||||
|
```
|
||||||
|
|
||||||
|
RBAC is enabled by default in new clusters created with `talosctl` v0.11 and disabled otherwise.
|
||||||
|
|
||||||
|
## Enabling RBAC
|
||||||
|
|
||||||
|
First, both the Talos cluster and `talosctl` tool should be [upgraded](../upgrading-talos/) to v0.11.
|
||||||
|
Then the `talosctl config new` command should be used to generate a new client configuration with the `os:admin` role.
|
||||||
|
Additional configurations and certificates for different roles can be generated by passing `--roles` flag:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
talosctl config new --roles=os:reader reader
|
||||||
|
```
|
||||||
|
|
||||||
|
That command will create a new client configuration file `reader` with a new certificate with `os:reader` role.
|
||||||
|
|
||||||
|
After that, RBAC should be enabled in the machine configuration:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
machine:
|
||||||
|
features:
|
||||||
|
rbac: true
|
||||||
|
```
|
@ -20,6 +20,10 @@ TBD
|
|||||||
|
|
||||||
TBD
|
TBD
|
||||||
|
|
||||||
|
### After Upgrade to 0.11
|
||||||
|
|
||||||
|
TBD
|
||||||
|
|
||||||
## `talosctl` Upgrade
|
## `talosctl` Upgrade
|
||||||
|
|
||||||
To manually upgrade a Talos node, you will specify the node's IP address and the
|
To manually upgrade a Talos node, you will specify the node's IP address and the
|
||||||
|
Loading…
x
Reference in New Issue
Block a user