Kubernetes multi-cluster user management¶

Kubernetes multi-cluster user management involves configuring client-side tools, specifically kubeconfig, to organize access parameters across different clusters, namespaces, and user identities^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].

Core Concept: The Kubernetes Context¶

In Kubernetes, a Context functions as a client-side alias that bundles three distinct parameters^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]:

1. Cluster: The address of the kube-apiserver and its certificate authority.
2. User: The specific credentials (e.g., client certificates, tokens) used for authentication.
3. Namespace: The default scope for resource operations (if omitted, default is used).

The kube-apiserver itself does not recognize the concept of a "Context"; rather, the client tool (e.g., kubectl) uses the active context to inject the correct cluster, user, and namespace parameters into the API request before it is sent^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].

kubeconfig structure¶

The kubeconfig file stores the definitions for clusters, users, and contexts^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].

• Clusters: Lists cluster endpoints and certificate authority data.
• Users: Defines authentication credentials, such as client-certificate-data or auth-provider configurations^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].
• Contexts: Maps a user to a cluster and a specific namespace^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].

Use Case Scenario¶

A common scenario for multi-cluster management involves segregating environments and teams^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]. For example:

• Clusters: development and production.
• Namespaces: frontend and backend.
• Roles: frontend-developer and backend-developer.

To ensure security and organization, administrators can define contexts such as dev-frontend or prod-backend. This ensures that a developer operating within the dev-frontend context is automatically targeting the development cluster and the frontend namespace using their assigned credentials^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md].

Management Commands¶

Creating Contexts¶

Contexts are created or modified using the kubectl config set-context command^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]:

[kubectl](<./kubectl.md>) config set-context <CONTEXT_NAME> \
    --namespace=<NAMESPACE_NAME> \
    --cluster=<CLUSTER_NAME> \
    --user=<USER_NAME>

Switching Contexts¶

To change the active target for kubectl commands^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]:

[kubectl](<./kubectl.md>) config use-context <CONTEXT_NAME>

Defining Clusters and Users¶

While cloud providers often handle cluster definitions (e.g., via GKE or EKS tools), users can manually define clusters and credentials in kubeconfig^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]:

• Set Cluster: kubectl config set-cluster <NAME> --server=<URL> --certificate-authority=<PATH>
• Set Credentials: kubectl config set-credentials <NAME> --client-certificate=<PATH> --client-key=<PATH>

Related Concepts¶

• Kubernetes
• [[RBAC]]
• Kubectl
• [[Kubeconfig]]

Sources¶

^[400-devops-06-kubernetes-k8s-ithelp-day28-readme.md]