docs: add guide for RBAC

Document how to enable RBAC without screwing up.

Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
This commit is contained in:
Alexey Palazhchenko 2021-06-25 18:13:37 +00:00 committed by talos-bot
parent f5721050de
commit 915cd8fe20
5 changed files with 57 additions and 3 deletions

View File

@ -37,7 +37,7 @@ cluster:
If you choose not to use `extraManifests` to install Kubelet Serving Certificate Approver and metrics-server during bootstrap, you can install them once the cluster is online using `kubectl`: If you choose not to use `extraManifests` to install Kubelet Serving Certificate Approver and metrics-server during bootstrap, you can install them once the cluster is online using `kubectl`:
```shell ```sh
kubectl apply -f https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml kubectl apply -f https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
``` ```

View File

@ -15,7 +15,7 @@ When used as a base image, the installer will perform the above steps automatica
Build and push your own kernel: Build and push your own kernel:
```shell ```sh
git clone https://github.com/talos-systems/pkgs.git git clone https://github.com/talos-systems/pkgs.git
cd pkgs cd pkgs
make kernel-menuconfig USERNAME=_your_github_user_name_ make kernel-menuconfig USERNAME=_your_github_user_name_

View File

@ -37,7 +37,7 @@ cluster:
If you choose not to use `extraManifests` to install Kubelet Serving Certificate Approver and metrics-server during bootstrap, you can install them once the cluster is online using `kubectl`: If you choose not to use `extraManifests` to install Kubelet Serving Certificate Approver and metrics-server during bootstrap, you can install them once the cluster is online using `kubectl`:
```shell ```sh
kubectl apply -f https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml kubectl apply -f https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
``` ```

View File

@ -0,0 +1,50 @@
---
title: Role-based access control (RBAC)
---
Talos v0.11 introduced initial support for role-based access control (RBAC).
This guide will explain what that is and how to enable it without losing access to the cluster.
## RBAC in Talos
Talos uses certificates to authorize users.
The certificate subject's organization field is used to encode user roles.
There is a set of predefined roles that allow access to different [API methods](../../reference/api/):
* `os:admin` grants access to all methods;
* `os:reader` grants access to "safe" methods (for example, that includes the ability to list files, but does not include the ability to read files content);
* `os:etcd:backup` grants access to [`/machine.MachineService/EtcdSnapshot`](../../reference/api/#machine.EtcdSnapshotRequest) method.
Roles in the current `talosconfig` can be checked with the following command (using [`yq` v4](https://github.com/mikefarah/yq)):
```sh
$ yq eval '.contexts[.context].crt' talosconfig | base64 -d | openssl x509 -noout -text
Certificate:
Data:
[...]
Subject: O = os:reader
[...]
```
RBAC is enabled by default in new clusters created with `talosctl` v0.11 and disabled otherwise.
## Enabling RBAC
First, both the Talos cluster and `talosctl` tool should be [upgraded](../upgrading-talos/) to v0.11.
Then the `talosctl config new` command should be used to generate a new client configuration with the `os:admin` role.
Additional configurations and certificates for different roles can be generated by passing `--roles` flag:
```sh
talosctl config new --roles=os:reader reader
```
That command will create a new client configuration file `reader` with a new certificate with `os:reader` role.
After that, RBAC should be enabled in the machine configuration:
```yaml
machine:
features:
rbac: true
```

View File

@ -20,6 +20,10 @@ TBD
TBD TBD
### After Upgrade to 0.11
TBD
## `talosctl` Upgrade ## `talosctl` Upgrade
To manually upgrade a Talos node, you will specify the node's IP address and the To manually upgrade a Talos node, you will specify the node's IP address and the