Authorize all developers to have read access to your clusters
You want to ensure every developer in your GitHub organization has access to your Kubernetes clusters.
-
Set up GitHub as an identity provider. Start by creating a new OAuth Application in our GitHub Organization by filling out this form.
-
After you create the application, you will be taken to a settings page. You will need the Client ID and Client Secret from this page for the DKP UI. Select the Generate a new client secret button if you do not already have a Client Secret for the application.
-
From the top menu bar in the DKP UI, select the Global workspace.
-
Select Identity Providers in the Administration section of the sidebar menu.
-
Select the Identity Providers tab, and then select the + Add Identity Provider button.
-
Ensure GitHub is selected as the identity provider type, and copy the Client ID and Client Secret values into the form.
-
Select Save to create your Identity Provider.
D2iQ configured the identity provider to load all groups, so you need to map these groups to the Kubernetes groups.
Map the identity provider groups to the Kubernetes groups
-
Select the Groups tab, and then select the Create Group button.
-
Give your group a descriptive name and add the groups from your GitHub provider under Identity Provider Groups.
-
Click Save to create the group, which creates it on the management cluster and federated to all target clusters, and also describes the developers for your organization.
To enable this group, you need to first create a role which allows you to view every resource.
Create a “Read Everything” role
-
Select Access Control in the Administration section of the sidebar menu.
-
Select the Cluster Roles tab, and then select the + Create Role button.
-
Give the role a descriptive name, and ensure that Cluster Role is selected as the type.
-
For a read-only role, select + Add Rule, then select All Resource Types in the Resources input, and select the get, list, and watch verbs.
Now you can assign the “Read Everything” role to the developers group.
Assign the role to the developers group
-
Select the Cluster Role Bindings tab, and then select the Add roles button for your group.
-
Select “Read Everything” role from the Roles drop-down.
Lastly, follow the example in the Access Control documentation to grant users access to Kommander routes on your cluster.
When you check your attached clusters and login as a user from your matched groups, you can see every resource, but neither delete or edit them, as intended.