October 13, 2017 | Written by: David Callies
Share this post:
While working with a client a few weeks ago, we defined a process and organizational governance model for managing Kubernetes clusters in a Bluemix PaaS environment. This blog will outline these best practices to deploy Kubernetes clusters in your environment and the importance of leveraging service policies.
Service policies allow you to assign user roles or roles to a set of resources by using a combination of attributes. For a detailed description of service policies, review Service Policies.
Before you create a Kubernetes cluster in your Bluemix environment, define the deployment strategy for your company or organization. As shown in Figure 1, kubernetes clusters are managed at the account level, not the organization or space level. Cloud foundry roles, such as Manager or Developer, do not restrict user access to Kubernetes clusters. If you create Kubernetes clusters without defining a service policy implementation process, all Kubernetes clusters will be viewable across all organizations and spaces by all users.
Start by working with your Bluemix account administrator to validate which service policies to enable. Each Bluemix organization manager must work with the account administrator to determine which users require access to the Kubernetes clusters. This will allow the organization manager to restrict access at the user level based on your company’s organization and space deployment model.
As part of your Bluemix deployment model, let’s assume you have defined your deployment model as shown in Figure 2. Now you must leverage service policies for your Kubernetes clusters to align with the approach outlined for managing Cloud Foundry organizations and spaces.
Enabling access to create Kubernetes clusters
From the Bluemix dashboard, navigate to the Users page as shown in Step 1.
Validate which users have service policies assigned, as shown in Step 2. This step ensures that only authorized users can create or view Kubernetes clusters from their dashboards.
The following steps will walk you through the steps to enable user access to create Kubernetes clusters for your company. First repeat Step 1 to select the identified user. As shown in Step 2, select Assign Service Policies. Now as shown in Step 3, from the menu, select IBM Bluemix Container Service.
The account administrator must assign the following rights to the identified user as highlighted in Step 4. Ensure the user has the role of “Administrator” selected from the menu. Completing this step will assign service policy rights for users to create, manage and view all Kubernetes clusters.
Restricting access to your Kubernetes clusters
Now that we’ve discussed how to assign service policies, let’s discuss how to restrict cluster access to align with your Cloud Foundry space deployment model. If your approach is to create test, stage, and prod Kubernetes clusters to align with your Bluemix organizations and space, using service polices will allow you to separate and isolate your Kubernetes clusters. Each Kubernetes cluster has a unique cluster ID. Utilizing the service policies, you can separate which users can view or access the Kubernetes clusters. This separation gives you the ability to manage access to clusters based on your organization and space deployment model.
As an example, the following steps will illustrate how to restrict access for a targeted Kubernetes cluster.
Now that the “Administrator” service policy role is assigned to the identified user of the company, I am able to view all available clusters from my Bluemix dashboard as shown in Step 5.
From the Bluemix dashboard, select the cluster, such as DC-Test-cluster. Note the unique Cluster ID from the summary view as shown in Step 6. You will need this “Cluster ID” in the following steps.
The identified user assigned to manage the organization must repeat steps 1,2 and 3 outlined earlier. After you complete those steps, select Specify optional service context. as shown in Step 7.
From the menu that lists all available service instances, select a cluster ID, as shown above in Step 8. Service instances are the unique cluster IDs that are assigned to each Kubernetes cluster that’s created.
After you select the service instance that is specified in step 6, from the Roles menu, select the Administrator service policy role to give the selected user restricted access to this cluster only. After you complete these steps, select Assign policy as highlighted in Step 9.
Now the assigned user has full administrative rights to manage this cluster. Additionally, this cluster will be the only cluster that displays in the Bluemix dashboard for this user as shown in Figure 3. Repeats steps 5 – 9 to isolate and restrict access to the remaining Stage and Prod Kubernetes Clusters.
The service policies are now enabled to segment your Kubernetes clusters and aligned with your Bluemix organization and space Cloud Foundry deployment model.