Provide Users access to applications installed in their namespaces

Question

I need to create a k8s cluster with user having their own namespace and application installed in those namespace which they can access from a web-portal(e.g providing http://service_ip:service_port in case of jupyterhub) i am using helm charts to install applications and kind of confused with services types so i need your suggestion should i use nodeport or should i use clusterip and how i would discover and provide service url to users. any help would be appreciated.

basically what i am trying to do is install an application as helm chart and provide the access `ip:port` to that user requesting. — captainchhala, Apr 01 '18 at 13:16
I suppose "user" management may not be the focus of K8S. So if the primary concern is user login, single sign-on, single user repository like LDAP, user authentication and role/permission management on what a "user" is allowed to perform biz feature wise, perhaps better to look into front-end tier solution which is placed in front of K8S to handle that part. K8S authentication/authorization focus more on K8S resource (node, pod, volume, etc) by service accounts which are not "normal" user who is a "person" entity e.g customer or business user. — mon, Apr 02 '18 at 08:49

score 0 · Answer 1 · answered Apr 01 '18 at 21:18

Steps

Find the Service defined for the application.
Expose the Service either via either NodePort, LoadBalancer, or Ingress.

Reference

Kubernetes in Action Chapter 5. Services: enabling clients to discover and talk to pods

The diagrams are from the book:

NodePort

If the client can access the nodes directly or via tunnel (VPN or SSH tunnel), the expose the service as NodePort type.

To do so, use kubectl expose or kubectl edit to change the spec.type.

Example:

apiVersion: v1
kind: Service
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  clusterIP: 10.100.96.203
  ports:
  - port: 443
    protocol: TCP
    targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
  sessionAffinity: None
  type: ClusterIP              <----- Change to NodePort (or LoadBalancer)

LoadBalancer

If the K8S is running in AWS, Azure, GCE, for which the K8S cloud providers are supported, then the service can be exposed via the load balancer DNS or IP (can be via the public Internet too, depending on the access configuration on the LB). Change the service spec.type to LoadBalancer.

For AWS cloud provider, refer to K8S AWS Cloud Provider Notes.

Ingress

K8S ingress offers a way to access via hostname and TLS. Similar to OpenShift Route.

can i use session management thing so that one user can only access his application installed in his own namespace — captainchhala, Apr 02 '18 at 03:46
@captainchhala, RBAC role binding is tied to a namespace, so yes, but integrating a user/group like Active Directory/LDAP is a different matter (e.g. https://stackoverflow.com/questions/42170380/how-to-add-users-to-kubernetes-kubectl) — mon, Apr 02 '18 at 06:33