A Kubernetes cluster is a collection of resources running across multiple nodes. Managing these resources also entails granting and controlling users' access to them. Different teams could be running their applications on the same cluster. Configuring RBAC is essential when it comes to such multi-tenant setups. Grouping resources into namespaces and giving certain teams access to them is a good start. Rancher leverages this to more effectively group the cluster's resources into larger subsets called projects.
As your organization grows, so does the need for multiple such clusters. Rancher provides centralized authentication to manage access more efficiently. Rancher admins can configure auth using any of the available authentication providers. This needs to be done only once for the rancher server, and the same authentication provider gets used for all clusters. Your Rancher admin can then grant access to any number of users/groups to the rancher server. Once they have access to Rancher, the users' access to the clusters and projects is determined by an authorization framework which leverages various CRDs and custom controllers for RBAC.
In this session, we will discuss in depth the approach Rancher uses for multi-cluster multi-tenant setups.
We will cover the following topics:
Kubernetes constructs for RBAC
Leveraging Kubernetes RBAC to further manage multi-tenancy
Centralized authentication and authorization for all clusters