Kubectl is one of the most popular tools used to work with Kubernetes. The command line tool allows you to deploy applications, inspect and manage resources. It basically authenticates with the control plane for your cluster and makes API calls to the Kubernetes API. In short, if you are working with Kubernetes you will use kubectl the most.
In most modern-day scenarios, there are multiple users accessing various clusters at any given time. This makes it all the more important to ensure that every user or group has access to only those resources that are necessary. There are a few ways to achieve this, including the use of namespaces and role-based access control. While these are good, most enterprise-grade application deployments require something more robust.
That’s where Paralus comes in. It is an open source solution that allows you to configure centralized kubectl access to multiple clusters from a single dashboard. Paralus allows you to create groups, assign projects and users and provide access. In this blog post, we’ll show you how to import different clusters to Paralus and configure access to them with zero-trust principles built in.
The Use Case
The goal of this blog post is to help understand how you can import multiple clusters and manage access to them from a single dashboard. In this sample use case, we will have three clusters deployed in different environments. Paralus will be deployed to a cluster on Azure and two other clusters, one hosted on on-premises, one localhost kind cluster and the other on Google Cloud. We’ll import these clusters into Paralus and configure centralized kubectl access to them.
Setting Up Paralus
The first step is to install Paralus. Setting up Paralus is easy with the provided Helm charts. Based on the underlying environment, you can follow the Paralus installation documentation to get started.
We installed Paralus on AKS, so we created a new cluster and installed paralus using the following commands:
helm repo add paralus https://paralus.github.io/helm-charts
helm install myrelease paralus/ztka \
-f https://raw.githubusercontent.com/paralus/helm-charts/main/examples/values.dev-generic.yaml \
–set fqdn.domain=“chartexample.com” \
-n paralus \
Make sure to update the fqdn.domain value with the actual domain that you’ll be using. Once the installation is complete, you can configure the DNS records and access the dashboard accordingly.
Importing a Cluster
Once you are set up and can access the dashboard, you can start by creating a new project or using the existing default project. Within the project, you can import a new cluster. You can follow the steps below to import an existing on-premises cluster or any other cloud cluster:
- Click on Import Cluster
- In the new dialog,
- Choose Data Center/Edge as the environment and Other as the Kubernetes distribution. Use this for importing a cluster from your on-premises or local host
- Choose Public Cloud as the environment and GKE as the Kubernetes distribution
- Provide a name and description and click continue
- Leave the general and advanced settings as they are and move to the final stage
- Download the generated bootstrap.yaml file
- Apply this file in the cluster that you want to import to Paralus: kubectl apply -f bootstrap.yaml
- After Paralus is up and running in your target cluster, it will be successfully imported to Paralus.
Once imported, you can navigate to the project and view the clusters. You can test if the clusters are configured correctly or not and execute kubectl commands from the prompt.
Configuring Groups and Users
The next step is to create a new group and assign this project to the group. It’s easier to manage permissions and roles using groups rather than doing it for every individual user.
Once configured, you can ask the users to re-login to verify the access. The users assigned to the project will be able to access the clusters in read-only mode and will not be able to create, edit or delete any resource in the cluster.
Since the project we created had both the clusters that we imported—GKE, local and on-premises kind cluster—read-only permission is configured to all of them. This allows an admin to configure centralized kubectl access to multiple clusters from a single dashboard.
Below is what your cluster list within the project will look like.
Now you should be able to import multiple clusters from different environments to Paralus and configure kubectl access to them. While this was a simple use case, you can configure it for your production environments, as well.
You can create multiple groups for your development and QA teams and assign users to the group along with the project with the clusters. If you have an IdP configured, then you don’t need to work on the group assignments manually when a new user is added/removed from the organization. Paralus will automatically add/remove permissions for various users to the clusters.
If you are looking forward to testing or deploying Paralus, feel free to reach out to us via our Slack Channel. Our team and community are there to support you!
To hear more about cloud-native topics, join the Cloud Native Computing Foundation and the cloud-native community at KubeCon+CloudNativeCon North America 2022 – October 24-28, 2022