Cryostat user management

[grzesuav]

Hi, I wonder how user access is/could be resolved in cryostat.

Lest say we have three namespaces A, B, C. Namespaces are managed by different teams. I want to gave possibility to start/stop recording for pods in namespace A only for tam members managing that namespace.

Currently we have RBAS (in kubernetes) set up in the way that only team member can i.e. exec/port-forward in given namespace.

I wonder what is cryostat recommended to make it work ?

[andrewazores]

Cryostat's user access model, assuming you use Cryostat in OpenShift with the openshift-oauth-proxy enabled (ie you use the Operator, or you enable this feature with the Helm chart):

• Cryostat CRs are installed into a Namespace A - Cryostat A
• Cryostat A has a list of Target Namespaces - [B, C]
• Users attempting to access Cryostat A are required to have the create pods/exec in Namespace A Role
• Therefore, when Cryostat A is installed, create pods/exec in Namespace A grants access to monitor applications in [B, C]

In your case, you can install Cryostat A into Namespace A, and set its list of Target Namespaces to simply [A]. Then, ensure that your A team members have the create pods/exec in A Role, and nobody else has that Role.

You can customize this role using the Cryostat CRD property:

https://github.com/cryostatio/cryostat-operator/blob/c17fe4cda40a07fd7f2ce34dae7b9ae38f3a10e9/config/crd/bases/operator.cryostat.io_cryostats.yaml#L4887

or Helm chart values:

https://github.com/cryostatio/cryostat-helm/blob/2edf42d76a2c98a68482140b7a16b46b4bf15750/charts/cryostat/values.yaml#L216

in case create pods/exec is not a suitable Role to use for your case - you could remap this to exec/port-forward, for example.

[andrewazores]

If you are using a non-OpenShift Kubernetes, then you will end up with the oauth2-proxy instead of the OpenShift OAuth Proxy, in which case the only supported authorization configuration at this time is the basic auth configuration, which doesn't have any mapping from k8s RBAC or user accounts. In this case you would probably need to roll your own deployment (you can use the Helm chart as a starting point), and replace the oauth2-proxy with something else like Keycloak.

[grzesuav]

1. I am using kubernetes, not openshift.
   The example you gave

Cryostat A has a list of Target Namespaces - [B, C]
Users attempting to access Cryostat A are required to have the create pods/exec in Namespace A Role
Therefore, when Cryostat A is installed, create pods/exec in Namespace A grants access to monitor applications in [B, C]
```
does not really answer my question - so I have `teamB` (which should have access only to ns `B`) and `teamC` (namespace - `C`) - how can I configure cryostat to respect this ? From your example having access to some RBAC in cryostat namespace gives all users permission to all namespaces targeted by cryostat

[andrewazores]

To do that, you create two Cryostats to separate the teams from each other.