UCP 3.0 used its own role-based access control (RBAC) for Kubernetes clusters. New as of MKE 3.1 is the ability to use native Kubernetes RBAC. The benefits of doing this are:
Kubernetes RBAC is turned on by default for Kubernetes clusters when customers upgrade to MKE 3.1.
Starting with MKE 3.1, Kubernetes and Swarm roles have separate views. You can view all the roles for a particular cluster under Access Control then Roles. Select Kubernetes or Swarm to view the specific roles for each.
You create Kubernetes roles either through the CLI using kubectl
or
through the MKE web interface.
To create a Kubernetes role in the MKE web interface:
ClusterRole
where you can
create rules for cluster-scoped Kubernetes resources as well as
namespaced resources.Kubernetes provides two types of role grants:
ClusterRoleBinding
which applies to all namespacesRoleBinding
which applies to a specific namespaceTo create a grant for a Kubernetes role in the MKE web interface:
Cluster Role Binding
, slide the Apply Role Binding to all
namespaces selector to the right.ClusterRoleBinding
(by selecting Apply Role Binding to all
namespaces) then you may only select ClusterRoles. If you select a
specific namespace, you can choose any role from that namespace or
any ClusterRole.