Onboarding Users onto a DKP Cluster
After you install DKP and create a cluster, use this procedure to add new users to your environment.
Prerequisites
A Valid DKP License (Essential or Enterprise)
A running Cluster
Onboarding a New User to a DKP Cluster
Create an LDAP Connector definition and name it
ldap.yaml
. An example is shown below:CODEapiVersion: v1 kind: Secret metadata: name: ldap-password namespace: kommander type: Opaque stringData: password: superSecret --- apiVersion: dex.mesosphere.io/v1alpha1 kind: Connector metadata: name: ldap namespace: kommander spec: enabled: true type: ldap displayName: LDAP Test Connector ldap: host: ldapdce.testdomain insecureNoSSL: true bindDN: cn=ldapconnector,cn=testgroup,ou=testorg,dc=testdomain bindSecretRef: name: ldap-password userSearch: baseDN: dc=testdomain filter: "(objectClass=inetOrgPerson)" username: uid idAttr: uid emailAttr: uid groupSearch: baseDN: ou=testorg,dc=testdomain filter: "(objectClass=posixGroup)" userMatchers: - userAttr: uid groupAttr: memberUid nameAttr: cn
Add the connector using the following command:
CODEkubectl apply -f ldap.yaml
The output should look similar to the following:
CODEsecret/ldap-password created connector.dex.mesosphere.io/ldap created
Add the appropriate role bindings and name the file
new_user.yaml
. Examples for both Single User and Group Bindings are shown below:The property for the
subjects.name
varies depending on the context for which you have established an Identity Provider.If you have set up an identity provider for All Workspaces:
For groups: configure the
subjects.name
field tooidc:<IdP_user_group>
. For example,oidc:engineering
.For users: configure the
subjects.name
field to<user_email>
. For example,jane.doe@example.com
If you have set up an identity provider for a Specific Workspace:
For groups: configure the
subjects.name
field tooidc:<workspace_ID>:<IdP_user_group>
. For example,oidc:tenant-z:engineering
.For users: configure the
subjects.name
field to<workspace_ID>:<user_email>
. For example,tenant-z:jane.doe@example.com
.
Runkubectl get workspaces
to obtain a list of all existing workspaces. Theworkspace_ID
is listed under theNAME
column.
For Single Users:
CODEapiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-admin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: newUser
Group Binding
CODEapiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cluster-admin namespace: ml roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: oidc:kommanderAdmins
Add the role binding(s) using the following command:
CODEkubectl apply -f new_user.yaml
ClusterRoleBindings
permissions are applicable on a global level. RoleBindings
permissions are applicable on a namespace level.
This procedure assumes that the user being added is an admin.
For additional information about the other roles in DKP and their permissions, refer to Granting Access to Kubernetes and Kommander Resources.
For accessing the Kubernetes dashboard at the /dkp/kubernetes/
URL you are required to create a DKP role that grants access to that URL path. Refer to the Accessing the Kubernetes Dashboard section of the page above.