Running kapp under restricted permissions ¶
In a multi-tenant Kubernetes cluster, user’s actions may be limited to one or more namespaces via
Following setup is currently expected by kapp (v0.10.0+):
- [required] kapp requires list/get/create/update/delete for
v1/ConfigMapin state namespace so that it can store record of application and deployment history.
- [optional] kapp requires one
ClusterRolerule: listing of namespaces. This requirement is necessary for kapp to find all namespaces so that it can search in each namespace resources that belong to a particular app (via a label). As of v0.11.0+, kapp will fallback to only state namespace if it is forbidden to list all namespaces.
- otherwise, kapp does not require permissions to resource types that are not used in deployed configuration. In other words, if you are not deploying
Jobresource then kapp does not need any permissions for
Job. Note that some resources are “cluster” created (e.g.
Podsare created by k8s deployment controller when
Deploymentresource is created) hence users may not see all app associated resources in
kapp inspectcommand if they are restricted (this could be advantageous and disadvantegeous in different setups).
Please reach out to us in #carvel channel in k8s slack (linked at the bottom of the page) if current kapp permissions model isn’t compatible with your use cases. We are eager to learn about your setup and potentially improve kapp.
Namespace listing permission needed by kapp:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kapp-restricted-cr rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kapp-restricted-cr-binding subjects: - kind: ServiceAccount name: # ??? namespace: # ??? (some tenant ns) roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kapp-restricted-cr
ConfigMap permissions needed by kapp:
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: kapp-restricted-role namespace: # ??? (some tenant ns) rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["list", "get", "create", "update", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: kapp-restricted-role-binding namespace: # ??? (some tenant ns) subjects: - kind: ServiceAccount name: # ??? namespace: # ??? (some tenant ns) roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: kapp-restricted-role