flux2
flux2 copied to clipboard
Add more scopes to the default k8s ClusterRoles
If the kubernetes user has viewer access broadly to the cluster, should they also have access to Flux resources?
An example was provided in the discussions from cert-manager who has solved a similar issue.
Discussed in https://github.com/fluxcd/flux2/discussions/2358
Originally posted by ilya-git January 31, 2022 By default k8s has some ClusterRoles, like e.g. "view" that allows access read to all resources. Right now it does not allow any access to the flux resources as they have to be explicitly added. I am wondering if it's a good idea to add these aggregated roles?
This is how cert-manager does it e.g. (https://app-nl.logz.io/#/dashboard/kibana/doc/logzioCustomerIndex*/logzioCustomerIndex220131_v1.account-395769/doc/?_g=()&id=iI5yr34B-Tg5N-7JdnWO):
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-view
labels:
app: {{ template "cert-manager.name" . }}
chart: {{ template "cert-manager.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["certmanager.k8s.io"]
resources: ["certificates", "issuers"]
verbs: ["get", "list", "watch"]
This is how I did it now for myself:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flux-view
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- notification.toolkit.fluxcd.io
- source.toolkit.fluxcd.io
- helm.toolkit.fluxcd.io
- image.toolkit.fluxcd.io
- kustomize.toolkit.fluxcd.io
resources: ["*"]
verbs: ["get", "list", "watch"]
```</div>