Clusters with RBAC

Infra App is designed to work out of the box with RBAC-enabled environments. It assumes users have one of two roles:
Full cluster access
Single-namespace access
Single Namespace access
Kubernetes configuration file
Infra App looks at the context entry the Kubernetes configuration file (KubeConfig) to know which namespace it should attempt to load for the user. For example:
1
- context:
2
    cluster: gke_test-cluster-abcdefg_us-central1-c_cluster-1
3
    namespace: default # This tells Infra App which namespace to use
4
    user: gke_test-cluster-abcdefg_us-central1-c_cluster-1
5
  name: gke_test-cluster-abcdefg_us-central1-c_cluster-1-single-namespace
Copied!
Required RBAC Rules
The configuration below outlines the permissions Infra App needs for a single-namespace user. Note that Infra App will work continue to work gracefully if users can't access the full list of resources.
1
kind: Role
2
apiVersion: rbac.authorization.k8s.io/v1
3
metadata:
4
  namespace: default #replace with your namespace
5
  name: example-role #replace with your role name
6
rules:
7
- apiGroups: [""]
8
  resources: ["pods", "pods/log", "events", "services", "configmaps", "persistentvolumeclaims", "endpoints"]
9
  verbs: ["get", "watch", "list", "delete"]
10
- apiGroups: [""] # For pod shell access
11
  resources: ["pods/exec"]
12
  verbs: ["get", "watch", "create"]
13
- apiGroups: ["extensions", "apps"]
14
  resources: ["deployments", "replicasets", "statefulsets", "daemonsets"]
15
  verbs: ["get", "watch", "list"]
16
- apiGroups: ["extensions", "batch"]
17
  resources: ["jobs", "cronjobs"]
18
  verbs: ["get", "watch", "list"]
19
- apiGroups: ["extensions", "networking.k8s.io"] # For ingresses
20
  resources: ["ingresses"]
21
  verbs: ["get", "watch", "list"]
22
- apiGroups: ["metrics.k8s.io"] # For metrics access
23
  resources: ["pods"]
24
  verbs: ["get", "watch", "list"]
Copied!
​

Features - Previous

Deleting Pods

Next - Advanced

FAQs

Last modified 1yr ago

Copy link

Contents

Single Namespace access