Permissions
Running kapp under restricted permissions ΒΆ
In a multi-tenant Kubernetes cluster, user’s actions may be limited to one or more namespaces via Role
and RoleBinding
configuration.
Following setup is currently expected by kapp (v0.10.0+):
- [required] kapp requires list/get/create/update/delete for
v1/ConfigMap
in state namespace so that it can store record of application and deployment history. - [optional] kapp requires one
ClusterRole
rule: listing of namespaces. This requirement is necessary for kapp to find all namespaces so that it can search in each namespace resources that belong to a particular app (via a label). As of v0.11.0+, kapp will fallback to only state namespace if it is forbidden to list all namespaces. - otherwise, kapp does not require permissions to resource types that are not used in deployed configuration. In other words, if you are not deploying
Job
resource then kapp does not need any permissions forJob
. Note that some resources are “cluster” created (e.g.Pods
are created by k8s deployment controller whenDeployment
resource is created) hence users may not see all app associated resources inkapp inspect
command if they are restricted (this could be advantageous and disadvantegeous in different setups).
Please reach out to us in #carvel channel in k8s slack (linked at the bottom of the page) if current kapp permissions model isn’t compatible with your use cases. We are eager to learn about your setup and potentially improve kapp.
Example of Namespace
listing permission needed by kapp:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kapp-restricted-cr
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kapp-restricted-cr-binding
subjects:
- kind: ServiceAccount
name: # ???
namespace: # ??? (some tenant ns)
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kapp-restricted-cr
Example of ConfigMap
permissions needed by kapp:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kapp-restricted-role
namespace: # ??? (some tenant ns)
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["list", "get", "create", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kapp-restricted-role-binding
namespace: # ??? (some tenant ns)
subjects:
- kind: ServiceAccount
name: # ???
namespace: # ??? (some tenant ns)
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kapp-restricted-role
(Help improve our docs: edit this page on GitHub)