Kubectl shell
Platform administrators and users alike often find themselves in a situation where they just need to execute a couple of kubectl commands against a cluster to troubleshoot or get a specific piece of information from it.
The Kubectl Shell feature is terminal that is connected to a pod containing kubectl, among other tools. The pod exists in the target vCluster within the namespace vcluster-platform-shell.
A kubeconfig is mounted to the pod with a vCluster scoped AccessKey. This means the AccessKey cannot be used to access other resources in vCluster Platform. The Kubectl Shell Pod and AccessKey
will automatically be cleaned up after 15 mintues of inactivity. To learn more about the security implications and options for security hardening, read the Security Considerations section.
How to use​
The Kubectl Shell feature can be accessed in the Project Overiew page under the ellipsis menu for any vCluster row. The Kubectl Shell feature can also be accessed on the vCluster Config page under the ellipsis menu.
Who can use it​
Any user who has access to the VirtualClusterInstance, VirtualClusterInstances/Shell, and pod/exec permissions for the vcluster-browser-shell namespace within the vCluster can use the Kubectl Shell feature.
Read the Security Consideration section to understand the implications of granting these aforementioned permissions.
The following YAML can be used to create a project role that grants that VirtualCLusterInstance permissions needed for the Kubectl Shell feature:
export PLATFORM_NS=kubectlshell
kind: ClusterRoleTemplate
apiVersion: management.loft.sh/v1
metadata:
name: kubectlshell
labels:
loft.sh/project-role: 'true'
spec:
displayName: kubectlshell
owner:
user: admin
management: true
clusterRoleTemplate:
metadata: {}
rules:
- verbs:
- '*'
apiGroups:
- management.loft.sh
resources:
- virtualclusterinstances
- virtualclusterinstances/shell
language="yaml"
By default, users with VirtualClusterInstance access are granted the cluster-admin ClusterRole in the vCluster, which will grant the necessary pod/exec permission for the Kubectl Shell feature. Any ClusterRole that grants
or Role that grants the following permission will suffice instead if you configure custom RBAC settings:
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
verbs:
- create
If using a RoleBinding and Role, you would need to target the vcluster-platform-shell namespace.
Security considerations​
Required permissions for this feature should only be given to users who are otherwise vCluster admins. vCluster admins, not to be confused with vCluster Platform admins, are any users who have full access or effectively full access to perform sensitive actions within the targeted vCluster.
The Kubectl Shell pods exist within the vCluster in the vcluster-platform-shell namespace. The kubeconfig is mounted from a secret that also exists in the vcluster-platform-shell namespace.
Any user that has access to either exec into pods or get secrets in the vcluster-platform-shell have access to the kubeconfig and the AccessKey token embedded within the kubeconfig. The AccessKey
is scoped to the vCluster, meaning it can only be used to access vCluster related resources and cannot be used to access any other resources in the vCluster Platform. Consequently, these permissions
should only be granted to users who would be considered admins for the targetted vCluster. It is common for all users with access to a vCluster to effectively be admins for that vCluster. Pod exec
permissions are a sensitive privilege and should only be given to vCluster admins regardless. Use normal Kubernetes RBAC to configure who has access to the
vcluster-platform-shell namespace.