hi there. i’m trying to create a kubernetes access (with rbac so far) to allow developer to access the cluster thru
kubectl to a designated namespace, to access a database. I don’t want or need to use a ingress.
what is the most reasonable way, to make that happen? So far i’ve created the serviceaccount,role,rolebinding but haven’t gotten the kubectl config right, to allow that access.
We also have Rancher in use, if that is of help, though the main purpose is to 1) let developer install kubectl so he can do port-forward to the pod and then access the database thru a local port…
If you only need that the user has access to the database you dont need RBAC
restrict the access port to the user IP, its all
ok, but if there is no ingress then how do you mean that
well, create a node port service or externalIP service
RBAC is used to limit the access to resources inside kubernetes clusters, but RBAC dont restrict connections to the services that you have exposed in your k8s cluster
perhaps that would also be a solution, but i would rather get the kubectl access working , in time that would not be the only access anyway i guess…
but you need that your users can access resources INSIDE the cluster, or you need that your users can access to the services exposed in your cluster?
i need that someone could access some resources inside the cluster, that might add up in time, i don’t specifically need to expose services for each one of those cases no
ok, how you manage your auth service in your cluster, maybe ldap?
for example i create several databases and for some time they need direct access to the database…but otherwise ingress is not needed really, bit complicated issue with database access using ingresses so far
ohh, then you only need expose your service
at the moment there is no ldap setup yet … only some local users using with rancher mostly
you dont need that your users perform actions like kubectl get pods bla -n bla
no…just access to the port
ok, so you dont need RBAC
so you suggest service with nodeport then
ok… if i already have a service then i can add another one for this temporary use that would work in parallel as well?
thanks then , i’ll try to get it to work