IBM Cloud Docs
Granting Satellite Config access to your clusters

Granting Satellite Config access to your clusters

By default, clusters that you create in a Satellite location have Satellite Config components automatically installed. However, you must grant the service accounts that Satellite Config uses the appropriate access to view and manage Kubernetes resources in each cluster.

Satellite Config requires admin access to your clusters to manage them. You can configure access in one of the following ways.

  • Automatically during cluster creation. Choose this option if you want to use Satellite storage templates.
  • Manually after cluster creation. Choose this option if you want more controlled access and do not plan on using Satellite storage templates.

If you do not grant Satellite Config access, you cannot later use the Satellite Config functionality to view or deploy Kubernetes resources for your clusters.

Automatically granting Satellite Config access to your clusters

You can give Satellite Config access to your cluster by specifying the relevant option when you create the cluster.

To give Satellite Config access to manage Kubernetes resources from the console, select Enable cluster admin access for Satellite Config when you create the cluster. To set up access with the CLI, specify the --enable-config-admin option when you create the cluster.

If you didn't give Satellite Config access at cluster creation time, follow the steps in Manually granting Satellite Config access to your clusters.

Manually granting Satellite Config access to your clusters

If you did not grant Satellite Config access to your cluster during cluster creation time, you can still set up the access manually.

Choose from the following options.

  • Admin access when you create a Satellite cluster: You can enable admin permissions when you create the cluster in the console or in the CLI by using the --enable-config-admin option in the ibmcloud oc cluster create satellite command. After creating the cluster, you must perform a one-time login by running ibmcloud ks cluster config in the command line.
  • Admin access for clusters in the public cloud: See Registering existing clusters with Satellite Config.
  • Custom access, or access for Satellite clusters that you did not opt in for admin access: Complete the following steps.

To customize access, or to add access for Satellite clusters that you did not opt in for admin access at cluster creation.

  1. Access your Satellite cluster.

  2. For each cluster in the cluster group, grant Satellite Config access to manage Kubernetes resources. Choose from the following options: cluster admin access, custom access that is cluster-wide, or custom access that is scoped to a project. For more information, see the Kubernetes documentation.

    If you choose a custom access option, some Satellite Config components might not work. For example, if you grant access to view only certain resources, you cannot use subscriptions to create Kubernetes resources in your cluster group. To view an inventory of your Kubernetes resources in a cluster, Satellite Config must have an appropriate role that is bound to the razee-viewer service account. To deploy Kubernetes resources to a cluster by using subscriptions, Satellite Config must have an appropriate role that is bound to the razee-editor service account.

Cluster admin access

Grant the Satellite Config service accounts access to the cluster admin role.

kubectl create clusterrolebinding razee-cluster-admin --clusterrole=razee-cluster-admin --serviceaccount=razeedeploy:razee-viewer --serviceaccount=razeedeploy:razee-editor --serviceaccount=razeedeploy:razee-satcon

Custom access, cluster-wide

Create custom RBAC policies to grant Satellite Config access to the actions and Kubernetes resources that you want for the cluster.

  1. Create a cluster role with the actions and resources that you want to grant. For example, the following command creates a viewer role so that Satellite Config can list all the Kubernetes resources in a cluster, but cannot modify them.

    kubectl create clusterrole razee-viewer --verb=get,list,watch --resource="*.*"
    Understanding this command's components
    Component Description
    razee-viewer The name of the cluster role, such as razee-viewer.
    --verb=get,list,watch A comma-separated list of actions that the role authorizes. In this example, the action verbs are for roles typical for a viewer or auditor, get,list,watch. For other possible verbs, see the Kubernetes documentation.
    --resource="*.*" A comma-separated list of the Kubernetes resources that the role authorizes actions to. In this example, access is granted for all Kubernetes resources in all API groups, "*.*". For other possible resources, run kubectl api-resources -o wide.

  2. Create a cluster role binding that binds the Satellite Config service account to the cluster role that you previously created. Now, Satellite Config has the custom access to the cluster.

    kubectl create clusterrolebinding razee-viewer --clusterrole=razee-viewer --serviceaccount=razeedeploy:razee-viewer
    Understanding this command's components
    Component Description
    razee-viewer The name of the cluster role binding, such as razee-viewer.
    --clusterrole=razee-viewer The name of the cluster role that you previously created, such as razee-viewer.
    --serviceaccount=razeedeploy:razee-viewer The name of one of the service accounts that the Satellite Config components are set up by default to use, either razeedeploy:razee-viewer or razeedeploy:razee-editor.

Custom access, scoped to a project

Create custom RBAC policies to grant Satellite Config access to the actions, Kubernetes resources, and projects (namespaces) that you want.

  1. Create a role with the actions and resources that you want to grant in the project that you want to scope the role to. For example, the following command creates an editor role so that Satellite Config can deploy and update all the Kubernetes resources in the project.

    kubectl create role razee-editor --namespace=default --verb=get,list,watch,create,update,patch,delete --resource="*.*"
    Understanding this command's components
    Component Description
    razee-editor The name of the cluster role, such as razee-editor.
    --namespace default The project (namespace) to scope the role to, such as default.
    --verb=get,list,watch,create,update,patch,delete A comma-separated list of actions that the role authorizes. In this example, the action verbs are for roles typical for an editor, get,list,watch,create,update,patch,delete. For other possible verbs, see the Kubernetes documentation.
    --resource="*.*" A comma-separated list of the Kubernetes resources that the role authorizes actions to. In this example, access is granted for all Kubernetes resources in all API groups, "*.*". For other possible resources, run kubectl api-resources -o wide.

  2. Create a role binding that binds the Satellite Config service account to the cluster role that you previously created. Now, Satellite Config has the custom access to the cluster.

    kubectl create rolebinding razee-editor --namespace=default --role=razee-editor --serviceaccount=razeedeploy:razee-editor
    Understanding this command's components
    Component Description
    razee-editor The name of the role binding, such as razee-editor.
    --namespace default The project (namespace) to scope the role binding to, such as default. The namespace must match the namespace that the role is in.
    --role=razee-editor The name of the role that you previously created, such as razee-editor.
    --serviceaccount=razeedeploy:razee-editor The name of one of the service accounts that the Satellite Config components are set up by default to use, either razeedeploy:razee-viewer or razeedeploy:razee-editor.

Continue to set up cluster groups and register clusters with Satellite Config.