topic Re: TMC Managed K8s Cluster - CLI authentication and Access Roles in Tanzu Mission Control & VMware Cloud Director Discussion Board

TMC Managed K8s Cluster - CLI authentication and Access Roles

returntrip — Wed, 16 Aug 2023 13:12:00 GMT

Currently, I can login to TMC CLI in the following ways:

1) Using LDAP accountswith `Cloud Administrator` role

2) Using LDAP account with role `tmc:admin`

3) Using local accounts `tmc-amin`, `tmc-member` or any other local accounts with role `tmc:admin` or `tmc:member` assigned to them

I cannot authenticate to TMC CLI from LDAP/local accounts/groups for which I have authentication configured TMC GUI Access section. See screenshot that shows current access policy.

To me, it seems like the `tmc-admin` or `tmc-member` roles are necessary to log ont TMC CLI and subsequentially accesst the K8s API via says kubectl However, having those roles gives automatically admin access to TMC managed K8s clusters which defeats the purpose of RBAC.

Am I missing something?

Re: TMC Managed K8s Cluster - CLI authentication and Access Roles

jeffmace — Tue, 29 Aug 2023 15:37:02 GMT

Sorry for the delay, I am still looking into this with the engineering team.

Beyond logging in, were you able to view/edit any TMC resources when using the `Cloud Administrator` role?

Re: TMC Managed K8s Cluster - CLI authentication and Access Roles

returntrip — Tue, 29 Aug 2023 15:54:02 GMT

I could manage the cluster (i.e.: kubectl get nodes, get pods etc)

Re: TMC Managed K8s Cluster - CLI authentication and Access Roles

jeffmace — Wed, 13 Sep 2023 12:25:03 GMT

We are still looking into this but I want to make sure I understand what you would like to achieve.

Are you trying to use the "Cloud Administrator" role to grant access to the TMC-SM API/GUI so they can define policies/packages/etc in TMC-SM?

Re: TMC Managed K8s Cluster - CLI authentication and Access Roles

returntrip — Wed, 13 Sep 2023 12:36:51 GMT

My TMC Local is not working as I am waiting for a newer version compatible with CSE 4.1. But I was trying to use Acces Roles to manage/limit K8s API access (e.g: limit certain users to certain namespaces)

What I noticed was that you need either tmc-admin` or `tmc-member` roles to log onto TMC CLI (the command line interface for TMC), which allows you to access the k8s API via kubectl. Having tmc-admin` or `tmc-member` roles automatically gives full (admin) access to TMC managed K8s clusters and I am therefore unable to limit certain users or groups (i.e.: useer `johndoe` should only be able to list namesapces fro k8s cluster xyz).

I hope this makes sense. If not, lets wait for a new version of TMC that supports CSE 4.1. Will reinstall and can get into a meeting.

Re: TMC Managed K8s Cluster - CLI authentication and Access Roles

jeffmace — Wed, 13 Sep 2023 12:39:04 GMT

Yes, that makes sense. Thank you.

Re: TMC Managed K8s Cluster - CLI authentication and Access Roles

jeffmace — Tue, 26 Sep 2023 17:35:33 GMT

We've been looking into this and can confirm you will be able to use roles other than 'tmc:admin' or 'tmc:member' to give access to specific resources. I believe this scenario would've worked if you had added the 'Organization Administrator' group to the 'organization.credential.view' role binding or some other 'organization.*' role.

Please try this after we GA a release with support for CSE 4.1 and let us know if you run into issues.