Role-based access control (RBAC) is a method of regulating access to Kubernetes resources based on the roles of individual users within an enterprise.

To use this feature, you must configure the HAProxy Enterprise Ingress Controller to use RBAC and to connect to Kubernetes.

Prerequisites
This documentation applies to Kubernetes 1.8 and above.

Implementing RBAC

The implementation of RBAC consists of:

  • Creating an RBAC User, role, and bindings

  • Deploying RBAC

Create an RBAC User, role, and bindings

  1. Download the file ingress-controller-rbac.yml below:

    ---
    apiVersion: v1
    kind: Namespace
    metadata:
      name: default
    ---
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: ingress-controller
      namespace: default
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: ingress-controller
    rules:
      - apiGroups:
          - ""
        resources:
          - configmaps
          - endpoints
          - nodes
          - pods
          - secrets
        verbs:
           - list
           - watch
      - apiGroups:
          - ""
        resources:
          - nodes
        verbs:
          - get
      - apiGroups:
          - ""
        resources:
          - services
        verbs:
          - get
          - list
          - watch
      - apiGroups:
          - "extensions"
        resources:
          - ingresses
        verbs:
          - get
          - list
          - watch
      - apiGroups:
          - ""
        resources:
          - events
        verbs:
          - create
          - patch
      - apiGroups:
          - "extensions"
        resources:
          - ingresses/status
        verbs:
          - update
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: ingress-controller
      namespace: default
    rules:
      - apiGroups:
          - ""
        resources:
          - configmaps
          - pods
          - secrets
          - namespaces
        verbs:
          - get
      - apiGroups:
          - ""
        resources:
          - configmaps
        verbs:
          - get
          - update
      - apiGroups:
          - ""
        resources:
          - configmaps
        verbs:
          - create
      - apiGroups:
          - ""
        resources:
          - endpoints
        verbs:
          - get
          - create
          - update
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: ingress-controller
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: ingress-controller
    subjects:
      - kind: ServiceAccount
        name: ingress-controller
        namespace: default
      - apiGroup: rbac.authorization.k8s.io
        kind: User
        name: ingress-controller
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: ingress-controller
      namespace: default
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: ingress-controller
    subjects:
      - kind: ServiceAccount
      name: ingress-controller
      namespace: default
      - apiGroup: rbac.authorization.k8s.io
        kind: User
        name: ingress-controller
  2. Run the following command:

      kubectl create -f ingress-controller-rbac.yml
    
    This creates the following Kubernetes objects:
    
    - serviceaccount/ingress-controller
    - clusterrole/ingress-controller
    - role/ingress-controller
    - clusterrolebinding/ingress-controller
    - rolebinding/ingress-controller
  3. The rights are given for the namespace "default". Update the file to match your requirements.

Deploy RBAC

To deploy RBAC, you have two options:

  • Short: using a ServiceAccount token

  • Long: using an SSL client certificate

Deploy RBAC using a ServiceAccount token

Update your HAProxy Enterprise ingress deployment YAML file to load the secret above as a local volume in /etc/kubernetes:

spec:
  template:
    spec:
      serviceAccountName: ingress-controller

Deploy RBAC using an SSL client certificate

This procedure applies only if you manage your own Public Key Infrastructure (PKI) for your Kubernetes cluster.

Create an SSL client certificate for the ingress-controller ServiceAccount

When RBAC is enabled, clients must use a SSL client certificate to get connected to the API server.

To do so, you must create one for the service account "ingress-controller" described in the ingress-controller-rbac.yml file.

  1. Run the following commands in your Kubernetes CA directory:

    openssl genrsa -out ingress-controller.key 2048
    openssl req -new -key ingress-controller.key -out ingress-controller.csr -subj /CN=ingress-controller
    openssl x509 -req -in ingress-controller.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out ingress-controller.pem -days 365

    Note

    The /CN parameter is important and must contain the ServiceAccount name. Some groups could be passed using the /O parameters. (See the Kubernetes documentation for more information.)

Create a kubeconfig.yml file for the Ingress Controller

The HAProxy Ingress Controller uses the kuberconfig.yml file to authenticate itself with the Kubernetes API server.

Its contents should look as follows:

apiVersion: v1
kind: Config
clusters:
- name: local
  cluster:
     certificate-authority: /etc/kubernetes/ca.pem
     server: <URL of your kubernetes API server: IE https://a.b.c.d>
 users:
 - name: ingress-controller
   user:
     client-certificate: /etc/kubernetes/ingress-controller.pem
     client-key: /etc/kubernetes/ingress-controller.key
 contexts:
 - context:
     cluster: local
     user: ingress-controller
   name: ingress-controller-context
 current-context: ingress-controller-context
Create a secret with the kubeconfig file and its dependencies
  1. Create a directory (here named "kubeconfig") to contain all the required files below:

    • kubconfig.yml: contains the authentication information

    • ca.pem: the CA certificate file (to authenticate the API server)

    • ingress-controller.pem and ingress-controller.key: the certificate and key for the HAProxy Enterprise Ingress Controller

  2. Execute the following command to create a secret called "hapee-kubeconfig":

    kubectl create secret generic hapee-kubeconfig \
      --from-file=./kubeconfig/kubeconfig.yml \
      --from-file=./kubeconfig/ca.pem \
      --from-file=./kubeconfig/ingress-controller.pem \
      --from-file=./kubeconfig/ingress-controller.key
Mount data into the HAProxy Ingress Controller pod

Update your HAProxy Enterprise ingress deployment YAML file to load the secret above as a local volume in /etc/kubernetes:

spec:
   template:
     spec:
       containers:
[...]
         volumeMounts:
         - name: kubeconfig
           mountPath: /etc/kubernetes
       volumes:
       - name: kubeconfig
         secret:
         secretName: hapee-kubeconfig
Update HAProxy Ingress Controller entry point

In the YAML file used to deploy the HAProxy Ingress Controller, add the following line into the args array:

- --kubeconfig=/etc/kubernetes/kubeconfig.yml