Developers are the target users of Kubernetes. Once a Tanzu Kubernetes cluster is provisioned, you can grant developer access using vCenter Single Sign-On authentication.
Authentication for Developers
A cluster administrator can grant cluster access to other users, such as developers. Developers can deploy pods to clusters directly using their user accounts, or indirectly using service accounts. For more information, see Using Pod Security Policies with Tanzu Kubernetes Clusters.
- For user account authentication, Tanzu Kubernetes clusters support vCenter Single Sign-On users and groups. The user or group can be local to the vCenter Server, or synchronized from a supported directory server.
- For service account authentication, you can use service tokens. For more information, see the Kubernetes documentation.
Adding Developer Users to a Cluster
To grant cluster access to developers:
- Define a Role or ClusterRole for the user or group and apply it to the cluster. For more information, see the Kubernetes documentation.
- Create a RoleBinding or ClusterRoleBinding for the user or group and apply it to the cluster. See the following example.
To grant access to a vCenter Single Sign-On user or group, the subject in the RoleBinding must contain either of the following values for the
||For example, a local user name, such as
||For example, a group name from a directory server integrated with the vCenter Server, such as
The following example RoleBinding binds the vCenter Single Sign-On local user named Joe to the default ClusterRole named
edit. This role permits read/write access to most objects in a namespace, in this case the
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rolebinding-cluster-user-joe namespace: default roleRef: kind: ClusterRole name: edit #Default ClusterRole apiGroup: rbac.authorization.k8s.io subjects: - kind: User name: sso:email@example.com #sso:<username>@<domain> apiGroup: rbac.authorization.k8s.io