Skip to content
Kannika

    Kubernetes RBAC

    It is possible to configure the Kubernetes Role-Based Access Control (RBAC) resources , which are created during the installation.

    Armory supports both namespaced Role and RoleBinding resources, as well as cluster-wide ClusterRole and ClusterRoleBinding resources.

    Note that these are not mutually exclusive, and you can enable both namespaced and cluster-wide RBAC resources at the same time.

    Namespaced RBAC

    By default, the platform will be configured to use namespaced RBAC resources to limit the scope of the permissions for the different components. Role and RoleBinding resources are created in the resource namespace and in the system namespace.

    values.yaml
    # Create namespaced RBAC resources for the operator
    operator:
      serviceAccount:
        rbac:
          create: true
    

    # Create namespaced RBAC resources for the api
    api:
      serviceAccount:
        rbac:
          create: true

    Cluster-wide RBAC

    By default, no ClusterRole and ClusterRoleBinding resources are created in the Kubernetes cluster for the different components. Cluster-wide RBAC resources are disabled by default to reduce the access scope of the different components.

    To enable cluster-wide RBAC resources, set the <component>.serviceAccount.clusterRbac.create field to true.

    values.yaml
    # Create cluster-wide RBAC resources for the operator
    operator:
      serviceAccount:
        clusterRbac:
          create: true
    

    # Create cluster-wide RBAC resources for the api
    api:
      serviceAccount:
        clusterRbac:
          create: true