Hi all,
I want to get your opinion on how to manage access control for kubernetes clusters deployed across multiple clouds consistently. Usually these clusters are deployed in managed kubernetes services in where authentication is handled by the native cloud and authorization is governed by the K8 RBAC. Therefore if access control to be consistently maintained across these clusters, what is the best way to do it?
That’s a hard one, and not one that I’ve tried to set up.
However, you would need a central source of truth for users, such as a corporate Active Directory server. On-premis AD can integrate with AWS IAM, and will certainly integrate with Azure. I don’t know about GCP, but I can’t see them not supporting it.
So effectively what you need is a single sign-on system across you cloud accounts.
Thank you for the response.
SSO will definitely help to resolve the access. However I am still wondering on top of what you have mentioned, the centralized RBAC policy management. These RBAC policies are managed within the k8 clusters. Imagine there is a policy that do not allow the policy bearer to remove pods. All the developers have been assigned this policy in respected cloud platform. In future if there need to be modifications to this policy or if an admin amend such a policy in a certain cloud, there will be inconsistencies across. Though SSO governs a centralized AD for authentication, authorization can lead to inconsistencies. How can this be addressed by your proposed solution? Thank you
What I do know is how AWS works in this scenario, although I can’t remember exactly because it was at a job I left over 3 years ago. I don’t know about Azure and GCP, but whatever one cloud provider does, the others usually do something similar.
In AWS with on-premise Active Directory, it can be set up such that groups a user is a member of will grant certain AWS roles to that user when they log into AWS over SSO. Assuming there is something similar in the IAMs of the other providers (Azure 99.9999% certain since it’s Microsoft, and after all, Azure’s IAM is based on AD) then the permissions are assigned that way. A change in Active directory should then reflect on cloud permissions.