Skip to content
/ rbac-bootstrap-app Public
generated from giantswarm/template-app

App to configure RBAC on the workload clusters

License

Apache-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

giantswarm/rbac-bootstrap-app

BranchesTags

Repository files navigation

CircleCI

RBAC bootstrap

Giant Swarm offers the RBAC bootstrap app as a configuration package to bootstrap the initial role bindings for a workload cluster. Here we define the rbac chart with its templates and default configuration.

What is this app?

  • You can configure the list of users and groups that will have access to the cluster initially.

Why did we add it?

  • Some customers want to define a set of bindings as a base to every cluster in order to enable their automation and admin to get quick access to the workload cluster API.

Who can use it?

  • This app can be used in all clusters and release versions.

Installing

There are 3 ways to install this app onto a workload cluster.

  1. Using our web interface
  2. Using our API
  3. Directly creating the App custom resource on the management cluster.

Configuring

values.yaml

This is an example of a values file you could upload using our web interface.

# values.yaml
bindings:
  - role: edit
    users:
      - [email protected]
      - [email protected]
    groups:
      - devops
    namespaces:
      - ns1
      - ns2
  - role: admin
    users:
      - [email protected]
    groups:
      - adminteam

This configuration creates role bindings for [email protected] and [email protected] in the ns1 and ns2 namespaces. At the same time it creates a cluster role binding for [email protected] and adminteam to the admin cluster role.

Sample App CR and ConfigMap for the management cluster

If you have access to the Kubernetes API on the management cluster, you could create the App CR and ConfigMap directly.

Here is an example that would install the app to workload cluster abc12:

# appCR.yaml
apiVersion: application.giantswarm.io/v1alpha1
kind: App
metadata:
  name: rbac-bootstrap
  namespace: abc12
spec:
  catalog: giantswarm
  kubeConfig:
    context:
      name: abc12
    inCluster: false
    secret:
      name: abc12-kubeconfig
      namespace: abc12
  name: rbac-bootstrap
  namespace: rbac-bootstrap
  userConfig:
    configMap:
      name: rbac-bootstrap-user-values
      namespace: abc12
  version: 0.1.1
# user-values-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: rbac-bootstrap-user-values
  namespace: abc12
data:
  values: |
    bindings:
      - role: edit
        users:
          - [email protected]
          - [email protected]
        groups:
          - devops
        namespaces:
          - ns1
          - ns2
      - role: admin
        users:
          - [email protected]
        groups:
          - adminteam

See our full reference page on how to configure applications for more details.

Compatibility

This app has been tested to work in all the clusters and providers.

Limitations

This app does not create any role or cluster role, just bind built-in cluster roles to a list of users and groups.

About

App to configure RBAC on the workload clusters

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity
Custom properties

Stars

1 star

Watchers

9 watching

Forks

0 forks
Report repository

Releases 5

v0.2.2 Latest
Apr 22, 2024
+ 4 releases

Packages

No packages published

Contributors 12

Languages