Wednesday, November 27, 2019

Error: You must be logged in to the server (Unauthorized)

Symptom:

   When users try to list pod of OKE (oracle kubernete engine) via kubectl get po. It error out as below
error: You must be logged in to the server (Unauthorized)

Solution:

  It is quite possible the users don't have correct privilege in  Oracle OCI IAM.  Users need to be in a group which has a policy "USE"  or higher "MANAGE"  for OKE clusters.

ie  Allow group <group-name> to use  cluster-family in <location>

Saturday, November 09, 2019

Tip: RBAC Comparison Oracle DB vs Kubernetes

This is for Oracle DBA to better understand how Kubernetes RBAC works. They both have similar RBAC concepts


Oracle Database Kubernetes
dba role cluster-admin role
grant dba role grant cluster-admin role
create apps-user role to access tablespace example only create apps-user role to access namespace example only
create apps-user create apps-user or service account
grant apps-user role to apps-user role-binding apps-user role to apps-user
apps-users work happily in tablespace example apps-users work happily in namespace example


How to Segregate Applications in Kubernetes Cluster without Compromise Cluster-Admin Role

Requirement:

   In enterprise world, we often have a few applications running on same Kubernete cluster. Each application owners would like to operate actions on his own applications without interfering other applications.  We would not like to grant cluster-admin to application owners for security reasons. Meanwhile application owner would have fully privilege in their own application scope.
This is for Oracle DBA to better understand how Kubernetes RBAC works. They both have similar RBAC concepts

Oracle DatabaseKubernetes
dba rolecluster-admin role
grant dba rolegrant cluster-admin role
create apps-user role to access tablespace example onlycreate apps-user role to access namespace example only
create apps-usercreate apps-user or service account
grant apps-user role to apps-userrole-binding apps-user role to apps-user
apps-users work happily in tablespace exampleapps-users work happily in namespace example

Solution:

  • Create namespace for each application
kubectl create namespace  test-apps-ns
  • Cluster admin create  role, serviceaccount, rolebinding for each application . Below is an example yaml file
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace:  test-apps-ns
  name: test-role
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: oke-test-user
  namespace:  test-apps-ns
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace:  test-apps-ns
  name: test-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: test-role
subjects:
- kind: ServiceAccount
  name: oke-test-user
  namespace:  test-apps-ns