Merge pull request #1275 from jcmoraisjr/jm-haproxy-rbac

HAProxy Ingress RBAC sample
kubernetes · Aug 31, 2017 · ae44d8e · ae44d8e
2 parents 58c94d4 + b1980c8
commit ae44d8e
Show file tree

Hide file tree

Showing 2 changed files with 213 additions and 0 deletions.
diff --git a/examples/rbac/haproxy/README.md b/examples/rbac/haproxy/README.md
@@ -0,0 +1,80 @@
+# Role Based Access Control
+
+This example demonstrates how to authorize an ingress controller on a cluster
+with role based access control.
+
+## Overview
+
+This example applies to ingress controllers being deployed in an environment with
+[RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) enabled.
+
+## Service Account created in this example
+
+One ServiceAccount is created in this example, `ingress-controller`. See
+[Using cert based authentication](#using-cert-based-authentication)
+below if using client cert authentication.
+
+## Permissions Granted in this example
+
+There are two sets of permissions defined in this example.  Cluster-wide
+permissions defined by a `ClusterRole` and namespace specific permissions
+defined by a `Role`, both named `ingress-controller`.
+
+### Cluster Permissions
+
+These permissions are granted in order for the ingress-controller to be
+able to function as an ingress across the cluster. These permissions are
+granted to the ClusterRole:
+
+* `configmaps`, `endpoints`, `nodes`, `pods`, `secrets`: list, watch
+* `nodes`: get
+* `services`, `ingresses`: get, list, watch
+* `events`: create, patch
+* `ingresses/status`: update
+
+### Namespace Permissions
+
+These permissions are granted specific to the `ingress-controller` namespace.
+The Role permissions are:
+
+* `configmaps`, `pods`, `secrets`: get
+* `endpoints`: create, get, update
+
+Furthermore to support leader-election, the ingress controller needs to
+have access to a `configmap` in the `ingress-controller` namespace:
+
+* `configmaps`: get, update, create
+
+## Namespace created in this example
+
+The `Namespace` named `ingress-controller` is defined in this example. The
+namespace name can be changed arbitrarily as long as all of the references
+change as well.
+
+## Usage
+
+1. Create the `Namespace`, `Service Account`, `ClusterRole`, `Role`,
+`ClusterRoleBinding`, and `RoleBinding`:
+
+```console
+$ kubectl create -f ingress-controller-rbac.yml
+```
+
+2. Deploy the ingress controller. The deployment should be configured to use
+the `ingress-controller` service account name if not using kubeconfig and
+client cert based authentication. Add the `serviceAccountName` to the pod
+template spec:
+
+```yaml
+spec:
+  template:
+    spec:
+      serviceAccountName: ingress-controller
+```
+
+## Using cert based authentication
+
+A client certificate based authentication can also be used with the following changes:
+
+1. No need to add the `serviceAccountName` to the pod template spec.
+2. Sign a client certificate using `ingress-controller` as it's common name.
diff --git a/examples/rbac/haproxy/ingress-controller-rbac.yml b/examples/rbac/haproxy/ingress-controller-rbac.yml
@@ -0,0 +1,133 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-controller
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ingress-controller
+  namespace: ingress-controller
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: ingress-controller
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - endpoints
+      - nodes
+      - pods
+      - secrets
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "extensions"
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - "extensions"
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: ingress-controller
+  namespace: ingress-controller
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - pods
+      - secrets
+      - namespaces
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - get
+      - create
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: ingress-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-controller
+subjects:
+  - kind: ServiceAccount
+    name: ingress-controller
+    namespace: ingress-controller
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: ingress-controller
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: ingress-controller
+  namespace: ingress-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-controller
+subjects:
+  - kind: ServiceAccount
+    name: ingress-controller
+    namespace: ingress-controller
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: ingress-controller