Clusters with RBAC
Using Infra App in RBAC-enabled clusters
Infra App is designed to work out of the box with RBAC-enabled environments. It assumes users have one of two roles:
- Full cluster access
- Single-namespace access
Infra App looks at the
context entry the Kubernetes configuration file (KubeConfig) to know which namespace it should attempt to load for the user. For example:- context:
cluster: gke_test-cluster-abcdefg_us-central1-c_cluster-1
namespace: default # This tells Infra App which namespace to use
user: gke_test-cluster-abcdefg_us-central1-c_cluster-1
name: gke_test-cluster-abcdefg_us-central1-c_cluster-1-single-namespace
The configuration below outlines the permissions Infra App needs for a single-namespace user. Note that Infra App will work continue to work gracefully if users can't access the full list of resources.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default #replace with your namespace
name: example-role #replace with your role name
rules:
- apiGroups: [""]
resources: ["pods", "pods/log", "events", "services", "configmaps", "persistentvolumeclaims", "endpoints"]
verbs: ["get", "watch", "list", "delete"]
- apiGroups: [""] # For pod shell access
resources: ["pods/exec"]
verbs: ["get", "watch", "create"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments", "replicasets", "statefulsets", "daemonsets"]
verbs: ["get", "watch", "list"]
- apiGroups: ["extensions", "batch"]
resources: ["jobs", "cronjobs"]
verbs: ["get", "watch", "list"]
- apiGroups: ["extensions", "networking.k8s.io"] # For ingresses
resources: ["ingresses"]
verbs: ["get", "watch", "list"]
- apiGroups: ["metrics.k8s.io"] # For metrics access
resources: ["pods"]
verbs: ["get", "watch", "list"]
Last modified 3yr ago