Search…
Minimal RBAC Configuration for Development Clusters
The following describes the minimal RBAC roles and permissions required for day-to-day use by developers for Garden when using the kubernetes plugin. These should be created along with the kubeconfig/kubecontext for the user in their namespace, replacing the <username>, <service-accounts-namespace> and <project-namespace> values as appropriate.
1
---
2
# The user service account
3
apiVersion: v1
4
kind: ServiceAccount
5
metadata:
6
name: user-<username>
7
namespace: <service-accounts-namespace>
8
​
9
---
10
​
11
# Project namespaces
12
apiVersion: v1
13
kind: Namespace
14
metadata:
15
name: <project-namespace>
16
# Some required annotations
17
annotations:
18
garden.io/version: "0.11.3"
19
​
20
---
21
​
22
# Allow reading namespaces and persistent volumes, which are cluster-scoped
23
apiVersion: rbac.authorization.k8s.io/v1
24
kind: ClusterRole
25
metadata:
26
name: user-<username>
27
rules:
28
- apiGroups: [""]
29
resources: ["namespaces", "persistentvolumes"]
30
verbs: ["get", "list"]
31
---
32
apiVersion: rbac.authorization.k8s.io/v1
33
kind: ClusterRoleBinding
34
metadata:
35
name: user-<username>
36
namespace: <service-accounts-namespace>
37
roleRef:
38
apiGroup: rbac.authorization.k8s.io
39
kind: ClusterRole
40
name: user-<username>
41
subjects:
42
- namespace: <service-accounts-namespace>
43
kind: ServiceAccount
44
name: user-<username>
45
​
46
---
47
​
48
# Full permissions within the <project-namespace>
49
apiVersion: rbac.authorization.k8s.io/v1
50
kind: Role
51
metadata:
52
name: <project-namespace>
53
namespace: <project-namespace>
54
rules:
55
- apiGroups: ["*"]
56
resources: ["*"]
57
verbs: ["*"]
58
---
59
apiVersion: rbac.authorization.k8s.io/v1
60
kind: RoleBinding
61
metadata:
62
name: <project-namespace>
63
namespace: <project-namespace>
64
roleRef:
65
apiGroup: rbac.authorization.k8s.io
66
kind: Role
67
name: <project-namespace>
68
subjects:
69
- namespace: <service-accounts-namespace>
70
kind: ServiceAccount
71
name: user-<username>
72
​
73
---
74
​
75
# Required access for the garden-system namespace
76
kind: Role
77
apiVersion: rbac.authorization.k8s.io/v1
78
metadata:
79
namespace: garden-system
80
name: user-<username>-common
81
rules:
82
# Allow port forward to build-sync services
83
- apiGroups: [""]
84
resources: ["pods"]
85
verbs: ["get", "list"]
86
# Note: An upcoming release will remove the requirement
87
- apiGroups: [""]
88
resources: ["pods/portforward"]
89
verbs: ["get", "list", "create"]
90
# Allow storing and reading test results
91
- apiGroups: [""]
92
resources: ["configmaps"]
93
verbs: ["get", "list", "create"]
94
# Allow getting status of shared services
95
- apiGroups: [""]
96
resources:
97
- "configmaps"
98
- "services"
99
- "serviceaccounts"
100
- "persistentvolumeclaims"
101
- "pods/log"
102
verbs: ["get", "list"]
103
- apiGroups: [""]
104
resources: ["configmaps", "services", "serviceaccounts"]
105
verbs: ["get", "list"]
106
- apiGroups: ["rbac.authorization.k8s.io"]
107
resources: ["roles", "rolebindings"]
108
verbs: ["get", "list"]
109
- apiGroups: ["extensions", "apps"]
110
resources: ["deployments", "daemonsets"]
111
verbs: ["get", "list"]
112
# Note: We do not store anything sensitive in secrets, aside from registry auth,
113
# which users anyway need to be able to read and push built images.
114
- apiGroups: [""]
115
resources: ["secrets"]
116
verbs: ["get", "list"]
117
​
118
---
119
​
120
apiVersion: rbac.authorization.k8s.io/v1
121
kind: RoleBinding
122
metadata:
123
name: user-<username>-common
124
namespace: garden-system
125
roleRef:
126
kind: Role
127
name: user-<username>-common
128
apiGroup: ""
129
subjects:
130
- namespace: <service-accounts-namespace>
131
kind: ServiceAccount
132
name: user-<username>
133
​
134
---
135
​
136
# Allow building with kaniko in-cluster
137
# Note: An upcoming release will remove this required role
138
kind: Role
139
apiVersion: rbac.authorization.k8s.io/v1
140
metadata:
141
namespace: garden-system
142
name: user-<username>-kaniko
143
rules:
144
- apiGroups: [""]
145
resources: ["pods"]
146
verbs:
147
- "get"
148
- "list"
149
- "create"
150
- "delete"
151
​
152
---
153
​
154
apiVersion: rbac.authorization.k8s.io/v1
155
kind: RoleBinding
156
metadata:
157
name: user-<username>-kaniko
158
namespace: garden-system
159
roleRef:
160
kind: Role
161
name: user-<username>-kaniko
162
apiGroup: ""
163
subjects:
164
- namespace: <service-accounts-namespace>
165
kind: ServiceAccount
166
name: user-<username>
Copied!
Copy link