CODEWITHSUNDEEP
kubernetespermissionscontinuous-integration
Vaccano
Vaccano

Reputation: 82341

Kubernetes permissions for Helm 3 install to specific namespace

I am trying to setup a user that will have permissions to install using Helm 3 in to a specific namespace. (For my CI/CD system.)

For example, if the user tries to run a helm upgrade --install with --namespace=dev then it works just fine. But if they try --namespace=test it will fail.

But I finding my self overwhelmed by the options. When creating a role you have to pick apiGroups, resources and verbs. I see a resource called deployments, but I have read that secret access is also needed. I have done some googling, but most hits are about configuring Helm 2 (with tiller).

What are the minimum Kubernetes permissions needed to install using Helm 3?

Upvotes: 3

Views: 2262

Answers (1)

Malgorzata
Malgorzata

Reputation: 7023

In Kubernetes, best practice is to ensure that your application is operating in the scope that you have specified that is why you have to grant role to user or application-specific service account. Read more about service account permissions in the official Kubernetes docs.

To restrict a user's access to a particular namespace, you can use either the edit or the admin role. If your charts create or interact with Roles and Rolebindings, you'll want to use the admin ClusterRole.

Additionally, you may also create a RoleBinding with cluster-admin access. Granting a user cluster-admin access at the namespace scope provides full control over every resource in the namespace, including the namespace itself.

For this example, we will create a user with the edit Role. First, create the namespace:

$ kubectl create namespace your-namespace

Now, create a RoleBinding in that namespace, granting the user the edit role.

$ kubectl create rolebinding steve-edit
    --clusterrole edit \​
    --user steve \​
    --namespace your-namespace

This command will create rolebinding steve-edit. This rolebinding grants the permissions defined in a clusterrole edit to a user steve for namespace your-namespace

Edit is default clusterrole which allows read/write access to most objects in a namespace. It does not allow viewing or modifying roles or rolebindings.

Take a look: rbac-namespace-helm.

Read about clusterroles: rbac-clusteroles, kubernetes-authorization.

You can also grant specific user read/write access at the cluster scope, so you will be able to install helm in any namespace. You have to grant the user either admin or cluster-admin access.

Read more here: cluster-scope-rbac-helm.

Upvotes: 4

Related Questions