scaleway · bene2k1 · Jan 3, 2024 · Jan 4, 2024 · Jan 4, 2024 · Jan 9, 2024
@@ -42,4 +42,3 @@ Once your [cluster is created](/containers/kubernetes/how-to/create-cluster/), a
     kubectl get nodes
     ```
 
-
@@ -0,0 +1,66 @@
+---
+meta:
+  title: How to manage Kubeconfig files with IAM
+  description: This page explains how to manage Scaleway Kubeconfig files with IAM
+content:
+  h1: How to manage Kubeconfig files with IAM
+  paragraph: This page explains how to manage Scaleway Kubeconfig files with IAM
+tags: kubernetes kapsule-cluser
+dates:
+  validation: 2024-11-05
+  posted: 2024-11-05
+categories:
+  - kubernetes
+---
+
+
+A Kubeconfig file serves as a repository for essential credentials required to access a Kubernetes cluster and manage deployments.  
+This file contains critical information, including cluster details, authentication data, and context information, allowing users to oversee and configure their Kubernetes clusters.
+
+Scaleway's Identity and Access Management (IAM) is now being used to generate Kubeconfig files. This integration offers several advantages:
+
+- **Improved user administration:**
+   - When removing a cluster user, there is no longer a need to reset the admin token, mitigating security risks.
+- **Increased Cluster Security:**
+   - Each user has unique credentials, enhancing security.
+   - Audit logs facilitate the identification of specific Kubernetes users.
+- **Enhanced Application Security:**
+   - Applications within the cluster are authenticated using specific tokens.
+   - This authentication method is particularly useful when a pod needs to interact with the Kubernetes API, as it can authenticate using its associated [Service Account](https://kubernetes.io/docs/concepts/security/service-accounts/).
+
+[Identity and Access Management (IAM)](https://www.scaleway.com/en/docs/identity-and-access-management/iam/concepts/#iam) provides control over resource access. IAM policies enable the configuration of permissions for Kubernetes Kapsule clusters at the Project level.
+
+An [IAM policy](https://www.scaleway.com/en/docs/identity-and-access-management/iam/concepts/#policy) defines the permissions for users, groups, and applications within an Organization. It consists of a [principal](https://www.scaleway.com/en/docs/identity-and-access-management/iam/concepts/#principal) (the user, group, or application to which it applies) and IAM rules that specify permission sets and their scope.
+
+The [combination of IAM and Kubernetes RBAC (Role-based Acccess Control)](/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) allows defining fine-grained access levels for cluster users.
+
+<Message type="important">
+    Entering a deprecation cycle, the former authentication system (using static admin tokens) remains active until the second half of 2024: all your legacy Kubeconfig files keep access to their clusters for the time being. For security purposes, you can still use the ["reset admin token" feature](/containers/kubernetes/how-to/revoke-kubeconfig/), either through our Kubernetes API or Scaleway’s CLI.
+    We recommend to download and use new unique, identifiable Kubeconfig files with IAM tokens inside.
+</Message>
+
+<Macro id="iam-requirements" />
+
+<Message type="requirement">
+  - You have an account and are logged into the [Scaleway console](https://console.scaleway.com)
+  - You have [created](/containers/kubernetes/how-to/create-cluster) a Kubernetes Kapsule cluster
+</Message>
+
+## Setting up access
+
+1. [Create a group](/identity-and-access-management/iam/how-to/create-group/) named `k8s-group` that contains the user and the application, so they are the only ones to have access to your cluster.
+2. [Create an IAM policy](/identity-and-access-management/iam/how-to/create-policy/) named `k8s-policy` in the Scaleway console, with the previously created group as a [principal](/identity-and-access-management/iam/concepts/#principal). Apply the corresponding IAM policy to the group. For example, `KubernetesFullAccess`.
+<Message type="tip">
+  Refer to [Setting IAM permissions and implement RBAC on a cluster](/containers/kubernetes/reference-content/set-iam-permissions-and-implement-rbac/) for a detailed overview about the available IAM permissions and how to fine-tune them using Kubernetes RBAC.
+</Message>
+
+## Downloading the Kubeconfig file
+
+1. Click **Kubernetes** in the **Containers** section of the [Scaleway console](https://console.scaleway.com) side menu. The Kubernetes Kapsule overview displays.
+2. Click the name of the cluster you want to access. The cluster overview page displays. Click on the name of the cluster you want to manage.
+3. Scroll down to the **Download kubeconfig with IAM** section of the page.
+4. Click **Download kubeconfig**
+5. Select the API key bearer, enter a description and set the expiration date for the kubeconfig file, then click **Generate kubeconfig**.
+6. Download the kubeconfig file and export the path to start using it with `kubectl`.
+
+You can now manage your cluster using `kubectl`. For more information about this tool, refer to the [official kubectl documentation](https://kubernetes.io/docs/reference/kubectl/).
@@ -0,0 +1,165 @@
+---
+meta:
+  title: Setting IAM permissions and implement RBAC on a cluster
+  description: This page explains how to set IAM permissions and implement RBAC on a Scaleway Kubernetes cluster
+content:
+  h1: Setting IAM permissions and implement RBAC on a cluster
+  paragraph: This page explains how to set IAM permissions and implement RBAC on a Scaleway Kubernetes cluster
+tags: kubernetes kapsule-cluser
+dates:
+  validation: 2024-07-30
+  posted: 2024-07-30
+categories:
+  - kubernetes
+---
+
+Role-based access control (RBAC) is a native feature of Kubernetes and a method of regulating access to compute or network resources based on the roles of individual users within your Organization.
+The feature is activated on Scaleway Kubernetes Kapsule and Kosmos by default and is compatible with Scaleway's IAM service.
+IAM and RBAC work together by integrating Scaleway’s Identity and Access Management with Kubernetes' native RBAC system. This integration ensures that access permissions are consistent across both the cloud infrastructure and the Kubernetes cluster, providing a secure access control mechanism.
+It allows you to assign roles to users, groups or `ServicesAccount` via `RoleBindings` and `ClusterRoleBindings`.
+
+Key components of RBAC in Kubernetes include:
+
+- **Roles and ClusterRoles:**
+   - **Roles:** These are specific to a namespace and define a set of permissions for resources within that namespace (e.g., pods, services).
+   - **ClusterRoles:** These are similar to roles but apply cluster-wide, spanning across all namespaces.
+- **RoleBindings and ClusterRoleBindings:**
+   - **RoleBindings:** These associate a set of permissions defined in a role with a user, group, or service account within a specific namespace.
+   - **ClusterRoleBindings:** These associate a set of permissions defined in a ClusterRole with a user, group, or service account across the entire cluster.
+- **Subjects:**  A subject in RBAC can be a user, a group, or a service account to which roles or cluster roles are bound.
+- **Rules:** Rules are sets of permissions associated with roles or cluster roles. They specify what actions are allowed or denied on specific resources.
+
+RBAC works seamlessly with Scaleway's IAM (Identity and Access Maanagement) system. Refer to [How to manage Kubeconfig files with IAM](/containers/kubernetes/how-to/manage-kubeconfig-with-iam/) for information how to configure IAM permissions for your users.
+
+## Built-in IAM permission sets
+
+<Message type="tip">
+  The cluster administrator can adjust each role's permissions by implementing a role binding for a specific user (e.g. `scaleway:bearer:773989c0-607c-4bb8-a5b8-867581b4e8d2`). This user will then acquire the permissions associated with the role.  
+  It is also possible to adjust the roles permissions by creating a role binding for a group (e.g. `scaleway:groups:773989c0-607c-4bb8-a5b8-867581b4e8d2:devops`). In doing so, all members of that group will be granted the permissions inherent to the role.
+</Message>
+
+### AllProductReadOnly or KubernetesReadOnly
+
+Users with the `AllProductReadOnly` or `KubernetesReadOnly` permission set have no inherent permissions by default.
+
+<Message type="note">
+    Without the configuration of additional role bindings, users do not possess any operational capabilities within the cluster.
+</Message>
+
+### AllProductFullAccess or KubernetesFullAccess
+
+The `AllProductFullAccess` permission set grants full access to the Kubernetes cluster and all other Scaleway products of the user. Users with this permission set can perform actions associated with the `scaleway:cluster-write` binding.  
+
+### AllProductFullAccess (or KubernetesFullAccess) and KubernetesSystemMastersGroupAccess:
+
+The `KubernetesSystemMastersGroupAccess` permission grants users unrestricted access, and they can perform any action on any resource within the Kubernetes cluster.
+Users in this group are added to the `system:masters` cluster role.
+
+<Message type="important">
+  The `system:masters` role overrides any RBAC permissions, allowing users with this role to bypass any restrictions set by other roles.
+  Due to its extended privileges, assigning the `system:masters` role should be done cautiously and limited to trusted administrators who require unrestricted control over the Kubernetes environment.
+</Message>
+
+## Cluster role scaleway:cluster-write
+
+The custom `scaleway:cluster-write` cluster role, injected during cluster setup, provides users with write permissions for specific cluster-level resources.
+Its manifest can be modified within your cluster to configure its permissions according to your specific needs. The default setting, denoted by an asterisk `*`, grants unrestricted access to the resources by default. Adjustments can be made to limit permissions based on your required levels of access.
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: scaleway:cluster-write
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- nonResourceURLs:
+  - '*'
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: scaleway:cluster-write
+subjects:
+- kind: Group
+  name: scaleway:cluster-write
+roleRef:
+  kind: ClusterRole
+  name: scaleway:cluster-write
+  apiGroup: rbac.authorization.k8s.io
+```
+
+### Role and binding examples for users and groups
+
+The following example grants access to the `example-namespace` namespace for the `Devops` group within `scaleway:groups:3972be4a-43d9-43da-9a55-195f1de9b770`. It involves creating a role binding. This binding aligns the specified group with the necessary permissions, enabling access to resources within the specified namespace.
+
+```yaml
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: devops-example-namespace-full-access
+  namespace: example-namespace
+rules:
+- apiGroups: [""]
+  resources: ["*"]
+  verbs: ["*"]
+- apiGroups: ["extensions"]
+  resources: ["*"]
+  verbs: ["*"]
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: devops-rolebinding
+  namespace: example-namespace
+subjects:
+- kind: Group
+  name: scaleway:groups:3972be4a-43d9-43da-9a55-195f1de9b770:Devops
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: devops-example-namespace-full-access
+  apiGroup: rbac.authorization.k8s.io
+```
+
+The following example provides read access to the `example-namespace` namespace for the user identified as `scaleway:bearer:773989c0-607c-4bb8-a5b8-867581b4e8d2` and involves creating a role binding. This binding associates the specified user with the necessary permissions, allowing the user to read resources within the specified namespace.
+
+```yaml
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: toto-read
+  namespace: example-namespace
+rules:
+- apiGroups: [""]
+  resources: ["*"]
+  verbs: ["list", "get"]
+- apiGroups: ["extensions"]
+  resources: ["*"]
+  verbs: ["list","get"]
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: toto-rolebinding
+  namespace: example-namespace
+subjects:
+- kind: User
+  name: scaleway:bearer:773989c0-607c-4bb8-a5b8-867581b4e8d2
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: toto-read
+  apiGroup: rbac.authorization.k8s.io
+```
+
+For more information how to use RBAC with your Kubernetes clusters, refer to the official [Kubernetes documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).
diff --git a/menu/navigation.json b/menu/navigation.json
@@ -1382,6 +1382,10 @@
                     "label": "Manage a Kosmos cluster",
                     "slug": "edit-kosmos-cluster"
                   },
+                  {
+                    "label": "Manage Kubeconfig files with IAM",
+                    "slug": "manage-kubeconfig-with-iam"
+                  },
                   {
                     "label": "Connect to a cluster with kubectl",
                     "slug": "connect-cluster-kubectl"
@@ -1498,6 +1502,10 @@
                     "label": "Ensuring resiliency with Multi-AZ clusters",
                     "slug": "multi-az-clusters"
                   },
+                  {
+                    "label": "Setting IAM permissions and implement RBAC on a cluster",
+                    "slug": "set-iam-permissions-and-implement-rbac"
+                  },
                   {
                     "label": "Exposing Kubernetes services to the internet",
                     "slug": "exposing-services"