Minimal RBAC Configuration for Development Clusters

The following describes the minimal RBAC roles and permissions required for day-to-day use by developers for Garden when using the kubernetes plugin. These should be created along with the kubeconfig/kubecontext for the user in their namespace, replacing the <username>, <service-accounts-namespace> and <project-namespace> values as appropriate.

---
# The user service account
apiVersion: v1
kind: ServiceAccount
metadata:
  name: user-<username>
  namespace: <service-accounts-namespace>

---

# Project namespaces
apiVersion: v1
kind: Namespace
metadata:
  name: <project-namespace>
  # Some required annotations
  annotations:
    garden.io/version: "0.11.3"

---

# Allow reading namespaces and persistent volumes, which are cluster-scoped
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: user-<username>
rules:
- apiGroups: [""]
  resources: ["namespaces", "persistentvolumes"]
  verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: user-<username>
  namespace: <service-accounts-namespace>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: user-<username>
subjects:
- namespace: <service-accounts-namespace>
  kind: ServiceAccount
  name: user-<username>

---

# Full permissions within the <project-namespace>
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: <project-namespace>
  namespace: <project-namespace>
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: <project-namespace>
  namespace: <project-namespace>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: <project-namespace>
subjects:
- namespace: <service-accounts-namespace>
  kind: ServiceAccount
  name: user-<username>

---

# Required access for the garden-system namespace
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: garden-system
  name: user-<username>-common
rules:
  # Allow port forward to build-sync services
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list"]
  # Note: An upcoming release will remove the requirement
- apiGroups: [""]
  resources: ["pods/portforward"]
  verbs: ["get", "list", "create"]
  # Allow storing and reading test results
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list", "create"]
  # Allow getting status of shared services
- apiGroups: [""]
  resources:
  - "configmaps"
  - "services"
  - "serviceaccounts"
  - "persistentvolumeclaims"
  - "pods/log"
  verbs: ["get", "list"]
- apiGroups: [""]
  resources: ["configmaps", "services", "serviceaccounts"]
  verbs: ["get", "list"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles", "rolebindings"]
  verbs: ["get", "list"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments", "daemonsets"]
  verbs: ["get", "list"]
  # Note: We do not store anything sensitive in secrets, aside from registry auth,
  #       which users anyway need to be able to read and push built images.
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: user-<username>-common
  namespace: garden-system
roleRef:
  kind: Role
  name: user-<username>-common
  apiGroup: ""
subjects:
- namespace: <service-accounts-namespace>
  kind: ServiceAccount
  name: user-<username>

---

# Allow building with kaniko in-cluster
# Note: An upcoming release will remove this required role
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: garden-system
  name: user-<username>-kaniko
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs:
  - "get"
  - "list"
  - "create"
  - "delete"

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: user-<username>-kaniko
  namespace: garden-system
roleRef:
  kind: Role
  name: user-<username>-kaniko
  apiGroup: ""
subjects:
- namespace: <service-accounts-namespace>
  kind: ServiceAccount
  name: user-<username>

Last updated