Tanzu Mission Control – Access Policies

Tanzu Mission Control – Access Policies

March 10, 2020 1 By Eric Shanks

Controlling access to a Kubernetes cluster is an ongoing activity that must be done in conjunction with developer needs and is often maintained by operations or security teams. Tanzu Mission Control (TMC) can help use setup and manage these access policies across fleets of Kubernetes clusters, making everyone’s life a little bit easier.

Setup Users

Before we can assign permissions to a user or group, we need to have a user or group to assign these permissions. By logging into the VMware Cloud Services portal (cloud.VMware.com) and going to the Identity and Access Management Tab we can create and invite new users. You can see I’ve created a user.

For good practice purposes, I’ve added this user to a group named “hollowgroup” which is where I’ll assign my permissions. Future users can be added to this group to obtain the same permissions without changing our policies.

Create an Access Policy

Now we must login to the Tanzu Mission Control portal and navigate to the “Policies” menu. From here we can assign permissions at several levels including the Organization (Top level), the cluster group, a specific cluster, or a namespace. We can also assign permissions at a workspace level which would be a group of namespaces. These options are handy because they provide good flexibility here to manage many policies across clusters and namespaces.

The levels here work in a hierarchical fashion, where the lowest level will take precedence. This lets you assign view permissions at the cluster level and more administrative type writes at a namespace level for example.

Here I’ve added the edit permissions to my hollowgroup group on my test namespace.

After we create the policy, you should be able to login to the Kubernetes cluster and we’ll notice some new roles/clusterroles and rolebindings/clusterrolebindings. Below you an see one of my role bindings created that maps my clusterrole with the hollowgroup group.

Access the Cluster

Now that the policy has been created, our user can login to Tanzu Mission Control and will have a limited view of the resources. Since we added them to this namespace though, they can navigate to the namespace we identified. Here you’ll notice a button that says “ACCESS THIS NAMESPACE” button.

That button will give instructions on downloading the appropriate KUBECONFIG file and instructions on using it. It will requires the TMC binary to be in your path to handle the authentication piece.

Summary

Identity management for disperate clusters can be a tricky thing to manage for an administrator. Tanzu Mission Control can provide Identity Policy management across multiple clusters and namespaces to centrally manage these processes.