VMware Beta Community
returntrip
Contributor
Contributor
‎08-16-2023 06:12 AM
Jump to solution

TMC Managed K8s Cluster - CLI authentication and Access Roles

Currently, I can login to TMC CLI in the following ways:

1) Using LDAP accountswith `Cloud Administrator` role

2) Using LDAP account with role `tmc:admin`

3) Using local accounts `tmc-amin`, `tmc-member` or any other local accounts with role `tmc:admin` or `tmc:member` assigned to them

I cannot authenticate to TMC CLI from LDAP/local accounts/groups for which I have authentication configured TMC GUI Access section. See screenshot that shows current access policy.

 

returntrip_0-1692189441843.png

 

To me, it seems like the `tmc-admin` or `tmc-member` roles are necessary to log ont TMC CLI and subsequentially accesst the K8s API via says kubectl However, having those roles gives automatically admin access to TMC managed K8s clusters which defeats the purpose of RBAC.

Am I missing something?

Reply
0 Kudos
1 Solution

Accepted Solutions
returntrip
Contributor
Contributor
‎08-29-2023 08:54 AM
Jump to solution

I could manage the cluster (i.e.: kubectl get nodes, get pods etc)

View solution in original post

Reply
0 Kudos
6 Replies
jeffmace
VMware Employee
VMware Employee
‎08-29-2023 08:37 AM
Jump to solution

Sorry for the delay, I am still looking into this with the engineering team.

Beyond logging in, were you able to view/edit any TMC resources when using the `Cloud Administrator` role?

Correct Answer Reply
0 Kudos
returntrip
Contributor
Contributor
‎08-29-2023 08:54 AM
Jump to solution

I could manage the cluster (i.e.: kubectl get nodes, get pods etc)

Reply
0 Kudos
jeffmace
VMware Employee
VMware Employee
‎09-13-2023 05:25 AM
Jump to solution

We are still looking into this but I want to make sure I understand what you would like to achieve.

Are you trying to use the "Cloud Administrator" role to grant access to the TMC-SM API/GUI so they can define policies/packages/etc in TMC-SM?

Correct Answer Reply
0 Kudos
returntrip
Contributor
Contributor
‎09-13-2023 05:36 AM
Jump to solution

My TMC Local is not working as I am waiting for a newer version compatible with CSE 4.1. But I was trying to use Acces Roles to manage/limit K8s API access (e.g: limit certain users to certain namespaces)

What I noticed was that you need  either tmc-admin` or `tmc-member` roles to log onto TMC CLI (the command line interface for TMC), which allows you to access the k8s API via kubectl. Having  tmc-admin` or `tmc-member` roles automatically gives full (admin) access to TMC managed K8s clusters and I am therefore unable to limit certain users or groups (i.e.: useer `johndoe` should only be able to list namesapces fro k8s cluster xyz).

I hope this makes sense. If not, lets wait for a new version of TMC that supports CSE 4.1. Will reinstall and can get into a meeting.

Correct Answer Reply
0 Kudos
jeffmace
VMware Employee
VMware Employee
‎09-13-2023 05:39 AM
Jump to solution

Yes, that makes sense. Thank you.

Correct Answer Reply
0 Kudos
jeffmace
VMware Employee
VMware Employee
‎09-26-2023 10:35 AM
Jump to solution

We've been looking into this and can confirm you will be able to use roles other than 'tmc:admin' or 'tmc:member' to give access to specific resources. I believe this scenario would've worked if you had added the 'Organization Administrator' group to the 'organization.credential.view' role binding or some other 'organization.*' role.

Please try this after we GA a release with support for CSE 4.1 and let us know if you run into issues.

Correct Answer Reply
0 Kudos