How To Give Developers Secure Access to Kubernetes Clusters
Eionel
Posted on November 8, 2021
Installing Lens
Navigate to the Lens website (https://k8slens.dev/) and download the latest version of Lens for your preferred OS. Once you have downloaded and installed, open the application, Lens IDE will automatically add your Kubeconfig (if done correctly, you will see a cluster icon on the left-hand-side). Lens works with any certified CNCF Kubernetes distro.
Now that your cluster has been added, you have full situational awareness of your Kubernetes cluster. Users can easily monitor all objects and resources within their cluster.
Creating a Lens Space account
In order to share a cluster with a team or team member, you will first need to create a Lens Spaces account:
In the bottom right corner of Lens, click “Lens Login” (or go to https://app.k8slens.dev/signup)
Click “Create an account” and follow the process to sign up for a Lens Spaces account. Once you have registered for an account, log into Lens Spaces and open up the desktop application.
Creating a Lens Space and Sharing Access to Your Cluster
Once logged in, you will need to create a secure “Space” in Lens 5 and share your cluster to that space. To do so, click on your username in the bottom right corner of Lens 5 and select “Add Space …”. Enter a unique Space name.
Now, navigate to your “Catalog” on the left-hand side of the desktop application. Within the Catalog, navigate to the “cluster” you just added. Click the ellipsis on the right-hand side of your cluster and select “Share Cluster”.
From there, you will need to select the space you would like to add the cluster to. Select the space you just created and specify the region for Cluster Connect Server Infrastructure (Lens Agent is installed in your cluster). Now, select “Install Cluster Connect and Share”.
You have now successfully installed Cluster Connect to your cluster and shared it to the selected Space. You can learn more about Cluster Connect here.
Invite members to your Space
Now that you have created a Space and shared the selected cluster to the Space, you will need to invite members to your Space to share access to your cluster.
Now Navigate to the share icon on your cluster, and select the Space you wish to add members to.
Enter your colleague’s username or email address (Press enter to confirm). If the invitee already has a Lens Spaces account, they will receive a direct invite, otherwise, they will need to receive an email invite.
Accepting a Space Invite:
For an invitee to access your cluster, they need to accept your invitation:
Click on your username in the bottom right corner. Click “My Profile”. Within your profile settings, click “Spaces”. You will now be able to see “Invitations”. Click “Accept”. You have now joined a new Space.
In order to view the shared clusters, close your Lens Space settings and navigate to your “Catalog”. Here, you will be able to view clusters that you have permission to access.
Creating a Team Within Your Space
In order to give specific access to a particular team or team member, you will need to create a “Team” within your Space.
Begin by clicking your username in the bottom right-hand corner and choose “Edit Space …”.
Select the “Space” you would like to add a “Team” to. Now, within your Space settings, click “Teams”. Then click “Create New Team” and enter the team name.
Once you have created a team within your Space, you will need to add a member to that team.
Click the ellipsis on the right side of your team and select “Add Member” then select a Space member (You can not add members to a team who are not already a part of your Space). You have now successfully created and added a member to the team.
How To Give Granular Access
Okay, now you may want to grant more specific permissions to the team you just created.
Let’s imagine your space has a team called “Developers” who need read access to a single namespace called “monitoring”. In order to do this, you will need to add “RoleBinding” to your Kubernetes Cluster.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: Developers-monitoring
namespace: monitoring
subjects:
- kind: Group
name: lens-spaces:Developers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: lens-spaces-view
apiGroup: rbac.authorization.k8s.io
This will grant lens-spaces-view role to the “Developers team” in the monitoring namespace.
In addition to this you may want to limit Space members permissions, by default we grant read access to all namespaces. To change this, you can edit or remove lens-platform-read-teams ClusterRoleBinding.
About Lens
Lens provides the full situational awareness for everything that runs in Kubernetes. It’s lowering the barrier of entry for people just getting started and improving productivity for people with more experience. Lens is built on open source and free of charge for any purpose. The Lens open source project is backed by a number of Kubernetes and cloud-native ecosystem pioneers. With more than 5 million downloads, over 250,000 users, and 15.3k stars on GitHub, it’s the most popular IDE for Kubernetes. https://k8slens.dev.
Posted on November 8, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.