Java*C#/.NETC++SQLIntegrationsIgnite for SparkTools
Home
JavadocExamplesAsk a Question
Start typing to search…

RBAC Authorization

❗️

This is a legacy Apache Ignite documentation

The new documentation is hosted here: https://ignite.apache.org/docs/latest/

Overview

Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise.

RBAC uses the rbac.authorization.k8s.io API group to drive authorization decisions, allowing admins to dynamically configure policies through the Kubernetes API.

It's recommended to set up RBAC for your Ignite deployments to have fine-grained control of your deployments and to avoid any security-related issues.

Prerequisites

It's assumed that you already have a Kubernetes cluster deployed. For instance, the following documentation explains how to spin it up on Microsoft Azure.

Namespace Creation

Create a unique namespace for your Ignite deployment. In our case the namespace name is ignite:

apiVersion: v1
kind: Namespace
metadata:
  name: ignite

Run the command below to configure the namespace:

kubectl create -f ignite-namespace.yaml

Service Account Creation

Use the following configuration for Ignite service account:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: ignite
  namespace: ignite

Run the command below to create the account:

kubectl create -f ignite-service-account.yaml

Role Creation

Use the following configuration for a role that will be used by Ignite Service that is used for Ignite nodes auto-discovery and as a LoadBalancer for remote applications:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: ignite
  namespace: ignite
rules:
- apiGroups:
  - ""
  resources: # Here are resources you can access
  - pods
  - endpoints
  verbs: # That is what you can do with them
  - get
  - list
  - watch
🚧

Note, if you are not going to use Ignite Service as a LoadBalancer for your external applications, then grant him fewer privileges​ as suggested here.

Run this command to create the role:

kubectl create -f ignite-account-role.yaml

Next, bind this role with your service account and the namespace using the following configuration:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: ignite
roleRef:
  kind: ClusterRole
  name: ignite
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: ignite
  namespace: ignite

Run this command to create the binding:

kubectl create -f ignite-role-binding.yaml

Finally, switch the current namespace to ignite so that you can see all the resources belonging​ to it:

kubectl config set-context $(kubectl config current-context) --namespace=ignite

Updated 9 months ago