Clusters with RBAC

Using Infra App in RBAC-enabled clusters

Infra App is designed to work out of the box with RBAC-enabled environments. It assumes users have one of two roles:

Full cluster access
Single-namespace access

Single Namespace access

Kubernetes configuration file

Infra App looks at the context entry the Kubernetes configuration file (KubeConfig) to know which namespace it should attempt to load for the user. For example:

- context:
    cluster: gke_test-cluster-abcdefg_us-central1-c_cluster-1
    namespace: default # This tells Infra App which namespace to use
    user: gke_test-cluster-abcdefg_us-central1-c_cluster-1
  name: gke_test-cluster-abcdefg_us-central1-c_cluster-1-single-namespace

Required RBAC Rules

The configuration below outlines the permissions Infra App needs for a single-namespace user. Note that Infra App will work continue to work gracefully if users can't access the full list of resources.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default #replace with your namespace
  name: example-role #replace with your role name
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log", "events", "services", "configmaps", "persistentvolumeclaims", "endpoints"]
  verbs: ["get", "watch", "list", "delete"]
- apiGroups: [""] # For pod shell access
  resources: ["pods/exec"]
  verbs: ["get", "watch", "create"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments", "replicasets", "statefulsets", "daemonsets"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["extensions", "batch"]
  resources: ["jobs", "cronjobs"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["extensions", "networking.k8s.io"] # For ingresses
  resources: ["ingresses"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["metrics.k8s.io"] # For metrics access
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

PreviousDeleting Pods NextFAQs

Last updated 3 years ago