-
Notifications
You must be signed in to change notification settings - Fork 8.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1275 from jcmoraisjr/jm-haproxy-rbac
HAProxy Ingress RBAC sample
- Loading branch information
Showing
2 changed files
with
213 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
# Role Based Access Control | ||
|
||
This example demonstrates how to authorize an ingress controller on a cluster | ||
with role based access control. | ||
|
||
## Overview | ||
|
||
This example applies to ingress controllers being deployed in an environment with | ||
[RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) enabled. | ||
|
||
## Service Account created in this example | ||
|
||
One ServiceAccount is created in this example, `ingress-controller`. See | ||
[Using cert based authentication](#using-cert-based-authentication) | ||
below if using client cert authentication. | ||
|
||
## Permissions Granted in this example | ||
|
||
There are two sets of permissions defined in this example. Cluster-wide | ||
permissions defined by a `ClusterRole` and namespace specific permissions | ||
defined by a `Role`, both named `ingress-controller`. | ||
|
||
### Cluster Permissions | ||
|
||
These permissions are granted in order for the ingress-controller to be | ||
able to function as an ingress across the cluster. These permissions are | ||
granted to the ClusterRole: | ||
|
||
* `configmaps`, `endpoints`, `nodes`, `pods`, `secrets`: list, watch | ||
* `nodes`: get | ||
* `services`, `ingresses`: get, list, watch | ||
* `events`: create, patch | ||
* `ingresses/status`: update | ||
|
||
### Namespace Permissions | ||
|
||
These permissions are granted specific to the `ingress-controller` namespace. | ||
The Role permissions are: | ||
|
||
* `configmaps`, `pods`, `secrets`: get | ||
* `endpoints`: create, get, update | ||
|
||
Furthermore to support leader-election, the ingress controller needs to | ||
have access to a `configmap` in the `ingress-controller` namespace: | ||
|
||
* `configmaps`: get, update, create | ||
|
||
## Namespace created in this example | ||
|
||
The `Namespace` named `ingress-controller` is defined in this example. The | ||
namespace name can be changed arbitrarily as long as all of the references | ||
change as well. | ||
|
||
## Usage | ||
|
||
1. Create the `Namespace`, `Service Account`, `ClusterRole`, `Role`, | ||
`ClusterRoleBinding`, and `RoleBinding`: | ||
|
||
```console | ||
$ kubectl create -f ingress-controller-rbac.yml | ||
``` | ||
|
||
2. Deploy the ingress controller. The deployment should be configured to use | ||
the `ingress-controller` service account name if not using kubeconfig and | ||
client cert based authentication. Add the `serviceAccountName` to the pod | ||
template spec: | ||
|
||
```yaml | ||
spec: | ||
template: | ||
spec: | ||
serviceAccountName: ingress-controller | ||
``` | ||
## Using cert based authentication | ||
A client certificate based authentication can also be used with the following changes: | ||
1. No need to add the `serviceAccountName` to the pod template spec. | ||
2. Sign a client certificate using `ingress-controller` as it's common name. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,133 @@ | ||
--- | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: ingress-controller | ||
--- | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: ingress-controller | ||
namespace: ingress-controller | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
kind: ClusterRole | ||
metadata: | ||
name: ingress-controller | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- configmaps | ||
- endpoints | ||
- nodes | ||
- pods | ||
- secrets | ||
verbs: | ||
- list | ||
- watch | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- nodes | ||
verbs: | ||
- get | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- services | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- "extensions" | ||
resources: | ||
- ingresses | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- events | ||
verbs: | ||
- create | ||
- patch | ||
- apiGroups: | ||
- "extensions" | ||
resources: | ||
- ingresses/status | ||
verbs: | ||
- update | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
kind: Role | ||
metadata: | ||
name: ingress-controller | ||
namespace: ingress-controller | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- configmaps | ||
- pods | ||
- secrets | ||
- namespaces | ||
verbs: | ||
- get | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- configmaps | ||
verbs: | ||
- get | ||
- update | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- configmaps | ||
verbs: | ||
- create | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- endpoints | ||
verbs: | ||
- get | ||
- create | ||
- update | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: ingress-controller | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: ingress-controller | ||
subjects: | ||
- kind: ServiceAccount | ||
name: ingress-controller | ||
namespace: ingress-controller | ||
- apiGroup: rbac.authorization.k8s.io | ||
kind: User | ||
name: ingress-controller | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
kind: RoleBinding | ||
metadata: | ||
name: ingress-controller | ||
namespace: ingress-controller | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: ingress-controller | ||
subjects: | ||
- kind: ServiceAccount | ||
name: ingress-controller | ||
namespace: ingress-controller | ||
- apiGroup: rbac.authorization.k8s.io | ||
kind: User | ||
name: ingress-controller |