This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

control plane v2 hiding nodes with rbac

Posted on 09-19-2023 12:17 PM
Thunder
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

I deployed anthos on vmware and trying to show only user nodes to users.  Is it possible with clusterrole and clusterrolebinding ?

How other cloud vendors were able to show only nodepool nodes without control plane nodes. Any thoughts?

--

Thunderhill

Solved Solved
0 3 656
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
devenes
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hi @Thunder ,

I understand your concern about wanting to hide control-plane nodes while allowing access to worker nodes in your user cluster. RBAC is primarily focused on controlling access to Kubernetes resources and API endpoints, and it doesn't provide native functionality for selectively hiding nodes based on labels or types.

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
devenes
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hello @Thunder ,

In a minimal Anthos setup, there are typically two clusters: the admin cluster and the user cluster. Control plane nodes are located in the admin cluster, while worker nodes are in the user cluster. If your users only have kubeconfig for the user cluster, they will only see the worker nodes, not the control plane nodes. You can find more information on this setup in the Anthos documentation here.

Regarding your question about Google Cloud dashboard visibility, it's important to note that Anthos is not a serverless or fully managed service like GKE Standard or GKE Autopilot. In those services, you typically don't see or manage control plane nodes. However, Anthos provides you with full control over both the clusters and nodes.

If you want to restrict user access to only the user cluster and prevent them from logging into the admin cluster via the Google Cloud Platform dashboard, you can use Kubernetes role-based access control (RBAC) policies in combination with Anthos Connect Gateway. By defining RBAC policies, you can specify which users have access to which clusters, ensuring that only authorized users can log in to the admin or user cluster. You can learn more about configuring RBAC authorization for Anthos Connect Gateway here.

Jump to Solution

Posted on --/--/---- --:-- AM
Thunder
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi Devenes,

Thanks @devenes, Sorry for the late reply. I am using controlplane v2.  So with rbac I can restrict all nodes. But how to restrict only to usercluster nodes is my question with out showing controlplane node.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
devenes
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hi @Thunder ,

I understand your concern about wanting to hide control-plane nodes while allowing access to worker nodes in your user cluster. RBAC is primarily focused on controlling access to Kubernetes resources and API endpoints, and it doesn't provide native functionality for selectively hiding nodes based on labels or types.

Jump to Solution
Top Labels in this Space