Once we've provisioned a Cluster for you, we'll then create an organization on your behalf using the legal business name collected during the on-boarding process. This new organization lives within Datica's centralized authentication system. This system is responsible for managing users and cluster access.
After we've created the organization, you'll be sent an invite to your email on file (as well as any other administrators). Use this email to activate your account. Once you've activated your account, you'll need to download and install the Datica
datikube CLI utility. You can download the package and view instructions for installation here.
Using datikube to authenticate
Once you've installed datikube, you'll need three pieces of information:
- <NAME> - This is the name you'd like to use for your cluster (ex: "prod", "staging", etc.). Datica will configure this for you.
- <CLUSTER-URL> - This is a URL at which this cluster's kube-apiserver is accessible. Datica will provide this to you.
- <CA-FILE> - This should be the relative path to the CA cert for this cluster. Datica will provide you with this file.
After you've gathered your cluster's name, cluster-url, and the ca-file, you can run the following command:
datikube set-context <NAME> <CLUSTER-URL> <CA-FILE>
datikube set-context prod-cluster https://192.168.99.100:8443 ~/.example/ca.crt
After successfully running the
datikube set-context command with the parameters above, you can begin using your new compliant cluster!
Before deploying your workloads onto your new Kubernetes cluster. You'll want to ensure you can access the various deployments Datica provides. Those include:
- Logging access:
kubectl port-forward -n logging service/kibana 8001:80- In your browser, the kibana dashboard can be accessed at the following url: http://localhost:8001
- Monitoring access:
kubectl port-forward -n monitoring service/grafana 8002:3000- In your browser, the grafana dashboard can be accessed at the following url: http://localhost:8002
Groups and ACLs
Kubernetes ACLs can be constructed using the following sections, separated by
- product - The first part of the ACL string should always be the exact string "product".
- cluster - The second part of the ACL string should always be the exact string "cluster".
- cluster name - The name of the cluster you want the ACL to apply to.
- action - This part of the ACL string should always be the exact string "action" OR "*".
- group - A group is a kubernetes-specific concept that overlaps with Datica's groups. In almost all cases, you can use `*` here.
- namespace - A namespace is a kubernetes-specific concept. You can learn more about namespaces here.
- resource - A resource is a Kubernetes-specific concept and is essentially any object that is set up on Kubernetes. You can see the full list of Kubernetes resource types here.
- verb - The last part of the ACL string is the HTTP verb. The list of possible verbs can be viewed here.
When completely assembled, the string should look something like
ACL String Examples:
To give a group access to view monitoring, use the following ACL string:
product:cluster:mycluster:action:*:monitoring:*:GET. This ACL string will provide users in this group access to retrieve all resources that are in the "monitoring" namespace.
To give a group access to view logging, use the following ACL string:
product:cluster:mycluster:action:*:logging:*:GET. This ACL string will provide users in this group access to retrieve all resources that are in the "logging" namespace.
To give a group full access to a specific namespace, use an ACL string like this:
product:cluster:mycluster:action:*:examplenamespace:*:*. This ACL string will provide users in the group complete access to the "examplenamespace" namespace.
Creating ACLs and Groups
ACLs and Groups are managed inside of the product dashboard. To create a new group, navigate to product.datica.com and select your organization.
Once inside of the organization view, you can select the Users tab to add new users.
Once you've added users, you can create new ACL groups. For Kubernetes users, please use the Cluster Access tab to create new groups.