Managing Users and Authorizations in Kyma

Objective

After completing this lesson, you will be able to describe users and authorizations in Kyma

Users and Authorizations in Kyma

Note

Within this lesson, we focus on assigning authorizations manually via the Kyma Dashboard. Provisioning and federation approach are not further explained in this learning journey.

Diagram depicting user and authorizations on architectural levels.

Kyma security is built on Kubernetes robust Role-Based Access Control (RBAC) system, which ensures that users and services have the necessary permissions to perform actions without compromising the platform's security. Through precise role assignments and API definitions, Kyma allows fine-grained access control over resources. The RBAC concept includes the use of roles and role bindings, cluster roles and cluster role bindings, and the definition of these roles based on API Groups and Verbs. The RBAC concept is completely decoupled and independent from the concept of roles and role collections on the account level of SAP BTP.

You can learn more about RBAC here: Using RBAC Authorization

Image with two titles: Kyma and Business Users. Under Kyma, the text reads: Authorixations for operations and development managed with Kubernetes RBAC. Under Business Users, the text reads: Business user authorizations for custom applications deployed in Kyma are maintained by roles and role collections via the SAP BTP cockpit.

If you're a more technical person like an administrator or a developer, you need to interact with the underlying cluster of Kyma. To do so, you need to log on to the Kyma dashboard. In order to log on to this dashboard, your user must be added to the Kyma environment. Users are still stored in identity providers and just linked to the Kyma environment. After you get the correct roles or cluster roles bound to your user through a role binding in RBAC, you are able to interact with attributes, objects, and elements from or executed in the underlying cluster.

If you are more of an end user or, as we call them on account level of SAP BTP, a business user, you interact with services and applications deployed and running in the Kyma environment. If the developers followed the recommendations making use of the XSUAA service, granting authorizations is done through roles and role collections on Subaccount level via the SAP BTP cockpit. For this scenario, everything can be used as you already learned in previous lessons.

Note

The further concepts are only applicable to the so-called platform users using Cluster Roles based on RBAC system.

Diagram showing information about roles within Kyma.

When you want to assign authorizations to users inside of Kyma, you need to work with roles and cluster roles. Both are quite similar but have small differences in detail.

Cluster Roles

These are sets of permissions that apply across the entire Kubernetes cluster. They are typically used for administrative tasks that need to manage resources at the cluster level. Example tasks include creating namespaces, managing nodes, or configuring cluster-wide policies.

Roles

Unlike cluster roles, roles are confined to a specific namespace. They define permissions for resources within that namespace, allowing for more granular control.

When creating cluster roles, you need to define rules and, optionally, labels and annotations. With these elements, you define the structure and authorizations the receiver of the role gets granted.

Labels

Labels are key-value pairs attached to objects such as pods and services. Labels help in identifying and organizing resources and are heavily used in selectors to group resources together for operations like deployments and services. Labels must be key-value pairs, where keys and values are strings.

Annotations

Annotations are key-value pairs similar to labels, but they're used to attach metadata to objects that are not used for selection purposes. They store non-identifying information that can be useful for external tools or for storing arbitrary metadata about the object.

Rules

Rules in the context of roles and cluster roles are the core components that define what actions can be performed on what resources. They define the set of permissions included in roles and cluster roles. They specify the actions (verbs) that can be performed on particular resources within specific API groups or resources.

API Groups

API groups in Kubernetes organize resources for better management and extension of the API. They are crucial in RBAC for defining precise permissions by specifying the appropriate API group for each resource. This ensures secure and efficient access control across different sets of resources within the Kubernetes cluster. We can differentiate into two types of API groups:

Core API Groups: Includes essential Kubernetes resources like pods, services, and nodes. Access these without specifying an API group.
Named API Groups: Extend the API with additional resources, each having its own versions and resources.

Common API Groups are:

apps: manages applications

batch: handles batch processing

networking.k8s.io: manages networking

rbac.authorization.k8s.io: manages RBAC resources

and more

Resources

Specifies the resources that these rules apply to. This can be any Kubernetes object like pods, services, nodes, and so on.

Verbs

Verbs represent the specific actions or operations that can be performed on resources. These verbs are critical in defining what permissions a user, group, or service account has within a Kubernetes cluster. Common verbs are:

get: retrieves details of a specific resource.

list: lists all resources of a specific type.

create: creates a new resource.

update: modifies an existing resource.

delete: removes a resource.

and more

Here's an example of a cluster role with full access to everything (not recommended):

Code Snippet

12345678
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-admin
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

Here's an example of a role with authorizations for managing pods and services in a namespace called my-namespace:

Code Snippet

123456789
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer
  namespace: my-namespace
rules:
- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["get", "list", "create", "delete"]

Screenshot of Kyma and where to find and overview of roles and role details.

You want to determine the already created and existing cluster roles in your Kyma environment. To do so, you need to navigate to the Kyma dashboard and using the sidebar menu: Configuration → Cluster Roles. You can see all the existing cluster roles and select them to get the role details displayed. If you need to change an existing role, you simply choose Edit. If you want to determine or change a Role instead of a Cluster Role, the process is identical, except you need to first enter the corresponding namespace via the Kyma dashboard.

Screenshot of Kyma showing the creation of roles.

When you want to create a cluster role, you need to navigate to the Kyma dashboard and using the sidebar menu: Configuration → Cluster Roles. To create a new cluster role, select Create. You need to define all required attributes in the visual Form or within the YAML format. To accelerate the creation of the cluster role, you can make use of the predefined templates, for example, a template for read-only or a template for unlimited authorization and adjust according to your needs. To finish the creation of a cluster role, you need to save through selecting Create again. The cluster role itself does not have an immediate effect. You need to create a cluster role binding for granting authorizations. If you want to create a Role instead of a Cluster Role, the process is identical except you need to first enter the corresponding namespace via the Kyma dashboard.

Diagram showing the concept of role bindings in Kyma.

To assign the (cluster) roles to for example an administrator or developer, you need to create a (cluster) role binding. When creating (cluster) role bindings, you need to define several attributes: the role type, the role you want to bind and the subjects, so the receiver and optionally labels and annotations. Annotations and labels are used in exactly the same way as in the (cluster) role creation.

Role Binding: Role Binding is used to grant permissions defined in a Role to a user or set of users within a specific namespace.
Cluster Role Binding: Cluster Role Binding is used to grant permissions defined in a ClusterRole to a user, set of users, or service accounts across the entire cluster.

Role Type

This can be a cluster role or a normal role at namespace level.

Hint

When you're creating a cluster role binding, the type is fixed as cluster role.

Role

The (cluster) role you've created and want to assign to someone. Selection is based on the name of the role.

Subjects

Subjects are the receivers of the (cluster) role binding. Through the binding, they get the corresponding authorizations granted. There are three types of subjects in Kyma:

User: A user is an individual who can log in and interact with the system. Users are authenticated, typically through SAP Identity Authentication Service or any other supported identity provider. Their roles and permissions are managed to ensure they have the appropriate access to perform their duties within the Kyma environment. Typically, users in Kyma belong to employees with very technical focus. Example: Developers and administrators logging in to deploy and manage services.
User Groups: User groups are collections of users that share common roles and permissions. By grouping users together, it becomes more efficient to manage and assign permissions. Instead of assigning roles to each user individually, you can assign roles to a user group, and all the users within the group will inherit those roles. Example: A Developers group with deployment privileges and an Admins group with administrative privileges.
Service Accounts: A service account is a special type of account intended for use by applications and services rather than individual users. Service accounts are typically used for machine-to-machine communication, running automated tasks, or integrating different services within the Kyma environment. Example: Used by CI/CD pipeline tools to automate the deployment of microservices and applications.

Here's an example of a role binding:

Code Snippet

12345678910111213
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-configmaps
  namespace: dev
subjects:
- kind: User
  name: johndoe
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: read-configmaps
  apiGroup: rbac.authorization.k8s.io

Here's an example of a cluster role binding:

Code Snippet

123456789101112
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-secrets
subjects:
- kind: Group
  name: dev-team
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: read-secrets
  apiGroup: rbac.authorization.k8s.io

Screenshot of Kyma showing the binding of roles. Overview of cluster role bindings and creation of a binding are highlighted.

When you want to create a cluster role binding, you need to navigate to the Kyma dashboard and use the sidebar menu: Configuration → Cluster Role Bindings. To create a new Cluster Role Binding, select Create. You can define all required attributes in the visual Form or within the YAML format. To finish the creation of a cluster role binding and activating the binding, you need to save through clicking again on Create. If you want to create a Role Binding instead of a Cluster Role Binding, the process is identical except you need to first enter the corresponding namespace via the Kyma dashboard.

Learn More About Kyma and Kubernetes RBAC

Note

Besides using the Kyma dashboard for maintaining (cluster) roles and (cluster) role bindings in Kyma through utilizing RBAC, you can also use kubectl for all these tasks.

You can learn more about RBAC here: Using RBAC Authorization
Assign Roles in the Kyma Environment: Assign Roles in the Kyma Environment
It’s recommended that you start with separating the developers and operators of a cluster. Recommended Role Setup: Role-Based Access Control (RBAC) in Kyma
Kubernetes RBAC Good Practices: Role Based Access Control Good Practices

Manage Cluster Roles in Kyma

You want to create a new cluster role with all read-only authorizations. You want to use an according template.

Task 1: Manage Cluster Roles in Kyma

ExerciseStart Exercise

Result

You've created a new cluster role based on a template. In a real scenario, you may change the role and add or remove additional elements like labels, annotations, rules, or verbs, and as a next step, you would create a cluster role binding to map your cluster role to users. As these cluster role concepts of Kyma are based on Kubernetes RBAC, you can find more information in the documentation of Kubernetes: https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Next lesson