RBAC template¶
Anaconda Enterprise dynamically provisions deployments, pods, services, secrets, and ingresses as part of its normal operation. As a result, it is important that the service account utilized by the application be given the necessary permissions to accomplish these operations.
For all operations except the ingress controller (more on this
below), it is sufficient to grant namespace-specific permissions.
The following Role
and RoleBinding
pair can be used to grant
permissions known to be sufficient to cover both installation and
regular operation. Replace <SERVICEACCOUNT>
and <NAMESPACE>
with their appropriate values:
If you wish to use the Anaconda-supplied ingress, it is also necessary
to grant a small number of additional, cluster-wide permissions.
That is because, as is typical with ingress controllers, this
controller expects to be able to monitor ingress-related resources
across all namespaces. The following is a minimal ClusterRole
and ClusterRoleBinding
pair that has been demonstrated to
grant the ingress controller sufficient permissions to run without
warnings:
Please review these RBAC settings with your Kubernetes administrators. It is possible they can be further reduced, but no assumption should be made to that effect. Certainly, significant reductions in the scope of these permissions is likely to prevent correct operation of Anaconda Enterprise.