Customizing RBAC for the SDK
This topic describes role-based access control (RBAC) for the Replicated SDK, including the default RBAC, minimum RBAC requirements, and how to install the SDK with custom RBAC.
Default RBAC
The SDK creates default Role, RoleBinding, and ServiceAccount objects during installation. The default Role allows the SDK to get, list, and watch all resources in the namespace and to update the replicated
Secret and ConfigMap:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
{{- include "replicated.labels" . | nindent 4 }}
name: replicated-role
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- 'get'
- 'list'
- 'watch'
- apiGroups:
- ''
resources:
- 'secrets'
verbs:
- 'update'
resourceNames:
- replicated
Minimum RBAC Requirements
The SDK requires the following minimum RBAC permissions:
Get and update a Secret named
replicated
.The SDK requires the following minimum RBAC permissions for status informers:
- If you defined custom status informers, then the SDK must have permissions to get, list, and watch all the resources listed in the
replicated.statusInformers
array in your Helm chartvalues.yaml
file. - If you did not define custom status informers, then the SDK must have permissions to get, list, and watch the following resources:
- Deployments
- Daemonsets
- Ingresses
- PersistentVolumeClaims
- Statefulsets
- Services
- For any Ingress resources used as status informers, the SDK requires
get
permissions for the Service resources listed in thebackend.Service.Name
field of the Ingress resource. - For any Daemonset and Statefulset resources used as status informers, the SDK requires
list
permissions for pods in the namespace. - For any Service resources used as status informers, the SDK requires
get
permissions for Endpoint resources with the same name as the service.
The Replicated vendor portal uses status informers to provide application status data. For more information, see Helm Installations in Enabling and Understanding Application Status.
- If you defined custom status informers, then the SDK must have permissions to get, list, and watch all the resources listed in the
Install the SDK with Custom RBAC
To use the SDK with custom RBAC permissions, provide the name for a custom ServiceAccount object during installation. When a service account is provided, the SDK uses the RBAC permissions granted to the service account and does not create the default Role, RoleBinding, or ServiceAccount objects.
To install the SDK with custom RBAC:
Create custom Role, RoleBinding, and ServiceAccount objects. The Role must meet the minimum requirements described in Minimum RBAC Requirements above.
During installation, provide the name of the service account that you created by including
--set replicated.serviceAccountName=CUSTOM_SERVICEACCOUNT_NAME
.Example:
helm install wordpress oci://registry.replicated.com/my-app/beta/wordpress --set replicated.serviceAccountName=mycustomserviceaccount
For more information about installing with Helm, see Installing with Helm.