Authentication
The Upbound Official Kubernetes Provider supports many authentication methods.
- Upbound Identity
- Injected Identity
- Kubeconfigs
- AWS, Azure, and GCP auth mechanisms
Upbound Identity
This method of authentication is only supported in control planes running on Upbound Cloud Spaces
Use this auth mechanism when you want to use a control plane with provider-kubernetes to interact with Upbound APIs. Upbound Identity can be configured to use the following to authenticate with Upbound:
- a user's personal access token (PAT)
- a token generated from a robot
Create an access token
- Robot
- Personal Access Token
This method creates a Robot, the Upbound-equivalent of a service account, and uses it's identity to authenticate and perform actions.
- Login to Upbound
up login
- Create a robot
up robot create "provider-kubernetes" --description="Robot used for authenticating to Upbound by provider-kubernetes"
- Create and store an access token for this robot as an environment variable:
export UPBOUND_TOKEN=$(up robot token create "provider-kubernetes" "provider-kubernetes-token" --output=-| awk -F': ' '/Token:/ {print $2}')
- Assign the robot to a team and use Upbound RBAC to grant the team a role for permissions.
Create a personal access token and store it as an environment variable.
export UPBOUND_TOKEN="YOUR_API_TOKEN"
Generate a kubeconfig for Upbound APIs
Upbound APIs are Kubernetes-compatible. Generate a kubeconfig for the context you want to interact with:
Set the desired context path below depending on your use case. Generate a kubeconfig according to the token method you followed in the prior section.
- Robot
- User account
- Login to Upbound with the robot access token:
up login -t $UPBOUND_TOKEN
- Set your Upbound context:
up ctx org/space/group/control-plane
up ctx . -f - > upbound-context.yaml
- Login to Upbound:
up login
- Set your Upbound context:
up ctx org/space/group/control-plane
up ctx . -f - > upbound-context.yaml
Store the generated context as an environment variable:
export CONTROLPLANE_CONFIG=upbound-context.yaml
Create secrets to store configs
In the control plane where you've installed provider-kubernetes, store the tokens created in the earlier step as secrets:
kubectl -n crossplane-system create secret generic cluster-config --from-file=kubeconfig=$CONTROLPLANE_CONFIG
kubectl -n crossplane-system create secret generic upbound-credentials --from-literal=token=$UPBOUND_TOKEN
Create a ProviderConfig
Create a ProviderConfig to set the provider authentication method to UpboundTokens.
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
name: default
spec:
credentials:
secretRef:
key: kubeconfig
name: cluster-config
namespace: crossplane-system
source: Secret
identity:
secretRef:
key: token
name: upbound-credentials
namespace: crossplane-system
source: Secret
type: UpboundTokens
Injected Identity
Use this auth mechanism when you want to configure a control plane to use provider-kubernetes to manage or interact with resources in itself. Injected Identity configures the provider to use a cluster-admin role defined in itself.
Create a ProviderConfig
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
name: default
spec:
credentials:
source: InjectedIdentity
Create a DeploymentRuntimeConfig
Create a ClusteRoleBinding and DeploymentRuntimeConfig to allow the provider to be granted the cluster-admin role.
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: provider-kubernetes
spec:
serviceAccountTemplate:
metadata:
name: provider-kubernetes
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: provider-kubernetes-cluster-admin
subjects:
- kind: ServiceAccount
name: provider-kubernetes
namespace: crossplane-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
Reference this DeploymentRuntimeConfig to complete the configuration of the provider:
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-kubernetes
spec:
package: xpkg.upbound.io/upbound/provider-kubernetes:v0.16.0
runtimeConfigRef:
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
name: provider-kubernetes
Other auth mechanisms
Read the provider-kubernetes examples for examples of how to configure the provider with other auth mechanisms.