-
Notifications
You must be signed in to change notification settings - Fork 156
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Limit Default RBAC Rules For Kanister Operator (#3134)
Signed-off-by: Rajat Gupta <[email protected]> Co-authored-by: Vivek Singh <[email protected]>
- Loading branch information
1 parent
0847571
commit 1f40f03
Showing
10 changed files
with
160 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -21,6 +21,7 @@ and easy to install, operate and scale. | |
|
||
overview | ||
install | ||
rbac | ||
tutorial | ||
architecture | ||
tasks | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
.. _rbac: | ||
|
||
RBAC Configuration | ||
****************** | ||
|
||
The `edit` `ClusterRole` is a built-in Kubernetes system role that offers | ||
permissions to modify most objects within a namespace, excluding roles, | ||
role bindings, and resource quotas. This role allows access to create, update, | ||
delete, and view resources such as Deployments, Pods, Services, ConfigMaps, | ||
PersistentVolumeClaims, and more. The Kanister Helm chart used to assign the | ||
`edit` `ClusterRole` to the Kanister service account, which granted all the | ||
permissions mentioned in the `edit` `ClusterRole` to the Kanister application. | ||
|
||
To enhance security, the `edit` `ClusterRoleBinding` has been removed from | ||
the Kanister Helm Chart. Users are required to create their own | ||
`Role`/`RoleBinding` in the application's namespace to grant the necessary | ||
permissions to Kanister's Service Account, providing more control over | ||
the specific permissions granted. | ||
|
||
Creating a RoleBinding with edit ClusterRole | ||
============================================ | ||
|
||
To allow Kanister to perform backup/restore operations in the application | ||
namespace, create a `RoleBinding` in the application namespace that assigns | ||
the `edit` `ClusterRole` to Kanister's Service Account: | ||
|
||
.. code-block:: bash | ||
kubectl create rolebinding kanister-edit-binding --clusterrole=edit \ | ||
--serviceaccount=<release-namespace>:<release-name>-kanister-operator \ | ||
--namespace=<application-namespace> | ||
Creating a Role with Granular Permissions | ||
========================================= | ||
|
||
If Blueprint doesn't require access to all the resources that are included | ||
in the `edit` ClusterRole, you can create a `Role` in application namespace | ||
with just the specific resources and verbs that Blueprint needs, and a `RoleBinding` | ||
in application namespace to bind the `Role` to Kanister's Service Account. | ||
This approach enhances security by granting only the necessary permissions. | ||
|
||
1. Create a `Role` with the permissions required by the Blueprint: | ||
|
||
.. code-block:: yaml | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
name: kanister-role | ||
namespace: <application-namespace> | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["pods", "pods/log", "persistentvolumeclaims" ,"secrets"] | ||
verbs: ["get", "list", "watch"] | ||
- apiGroups: ["apps"] | ||
resources: ["deployments", "statefulsets"] | ||
verbs: ["get", "list", "watch"] | ||
2. Create a `RoleBinding` to bind the `Role` to Kanister's Service Account: | ||
|
||
.. code-block:: bash | ||
kubectl create rolebinding kanister-role-binding --role=kanister-role \ | ||
--serviceaccount=<release-namespace>:<release-name>-kanister-operator \ | ||
--namespace=<application-namespace> | ||
After setting up the required `Role`/`RoleBinding`, Kanister will be able | ||
to successfully perform snapshot and restore operations in the application's | ||
namespace. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
# RBAC Configuration {#rbac} | ||
|
||
The `edit` `ClusterRole` is a built-in Kubernetes system role that offers | ||
permissions to modify most objects within a namespace, excluding roles, | ||
role bindings, and resource quotas. This role allows access to create, update, | ||
delete, and view resources such as Deployments, Pods, Services, ConfigMaps, | ||
PersistentVolumeClaims, and more. The Kanister Helm chart used to assign the | ||
`edit` `ClusterRole` to the Kanister service account, which granted all the | ||
permissions mentioned in the `edit` `ClusterRole` to the Kanister application. | ||
|
||
To enhance security, the `edit` `ClusterRoleBinding` has been removed from | ||
the Kanister Helm Chart. Users are required to create their own | ||
`Role`/`RoleBinding` in the application's namespace to grant the necessary | ||
permissions to Kanister's Service Account, providing more control over | ||
the specific permissions granted. | ||
|
||
|
||
## Creating a RoleBinding with edit ClusterRole | ||
|
||
To allow Kanister to perform backup/restore operations in the application | ||
namespace, create a `RoleBinding` in the application namespace that assigns | ||
the `edit` `ClusterRole` to Kanister's Service Account: | ||
|
||
```bash | ||
kubectl create rolebinding kanister-edit-binding --clusterrole=edit \ | ||
--serviceaccount=<release-namespace>:<release-name>-kanister-operator \ | ||
--namespace=<application-namespace> | ||
``` | ||
|
||
## Creating a Role with Granular Permissions | ||
|
||
If the Blueprint doesn't require access to all the resources that are included | ||
in the `edit` ClusterRole, you can create a `Role` in the application namespace | ||
with just the specific resources and verbs that Blueprint needs, and a `RoleBinding` | ||
in the application namespace to bind the `Role` to Kanister's Service Account. | ||
This approach enhances security by granting only the necessary permissions. | ||
|
||
1. Create a `Role` with the permissions required by the Blueprint: | ||
|
||
```yaml | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
name: kanister-role | ||
namespace: <application-namespace> | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["pods", "pods/log", "persistentvolumeclaims", "secrets"] | ||
verbs: ["get", "list", "watch"] | ||
- apiGroups: ["apps"] | ||
resources: ["deployments", "statefulsets"] | ||
verbs: ["get", "list", "watch"] | ||
``` | ||
2. Create a `RoleBinding` to bind the `Role` to Kanister's Service Account: | ||
|
||
```bash | ||
kubectl create rolebinding kanister-role-binding --role=kanister-role \ | ||
--serviceaccount=<release-namespace>:<release-name>-kanister-operator \ | ||
--namespace=<application-namespace> | ||
``` | ||
|
||
After setting up the required `Role`/`RoleBinding`, Kanister will be able | ||
to successfully perform snapshot and restore operations in the application's | ||
namespace. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5 changes: 5 additions & 0 deletions
5
releasenotes/notes/limit-rbac-kanister-operator-3c933af021b8d48a.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
--- | ||
upgrade: | ||
- Users upgrading from previous versions should note that the `edit` `ClusterRoleBinding` is no longer included by default. They must now create their own `Role` / `RoleBinding` with appropriate permissions for Kanister's Service Account in the application's namespace. | ||
security: | ||
- Enhanced security by removing the default `edit` `ClusterRoleBinding` assignment, minimizing the risk of excessive permissions. |