Kubernetes Tenant RBAC

Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise.

The following three key elements are involved in Kubernetes RBAC:

  • Subjects: The set of users and processes that want to access the Kubernetes API.
  • Resources: The set of Kubernetes API Objects available in the cluster. Examples include Pods, Deployments, Services, Nodes, and PersistentVolumes, among others.
  • Verbs: The set of operations that can be executed to the resources above. Different verbs are available (examples: get, watch, create, delete, etc.), but ultimately all of them are Create, Read, Update or Delete (CRUD) operations.

With these three elements in mind, the key idea of RBAC is the Context subjects, API resources, and operations. In other words, we want to specify which operations can be executed over a set of resources for a given user.

Creating a new Kubernetes tenant via the web interface creates a corresponding set of roles and role bindings within the namespace of that new tenant. Each role is assigned a set of resources and allowed CRUD operations. Creating a Kubernetes tenant creates the following roles:

Kubernetes roles and assigned resources/operations are stored in the file /opt/bluedata/common-install/bd_mgmt/bd_mgmt_default_tenant_k8s.cfg on the host. Platform Administrator users may add, edit, or delete roles by editing this file, which will change the allowed defaults for all Kubernetes tenants created after the changes have been made.

NOTE
Adding, editing, and/or deleting roles/privileges by making changes to bd_mgmt_default_tenant_k8s.cfg does not affect Kubernetes tenants that were created prior to making the changes.

If you need to edit the RBACs for a running Kubernetes tenant:

  1. Access the Kubernetes tenant as either the Platform Administrator or the Kubernetes Cluster Administrator for the cluster that contains the affected tenant.
  2. Execute this command on any Kubernetes master node:

    kubectl edit hpecptenants.hpecp.hpe.com -n hpecp
  3. Make and then save your desired changes.

Default Admin RBACS

- roleID: admin
    rules:
    - apiGroups:
      - ""
      resources:
      - bindings
      - podtemplates
      - replicationcontrollers
      - pods
      - resourcequotas
      - services
      - serviceaccounts
      - endpoints
      - persistentvolumeclaims
      - events
      - configmaps
      - secrets
      - pods/exec
      - pods/log
      - pods/portforward
      verbs:
      - '*'
    - apiGroups:
      - rbac.authorization.k8s.io
      resources:
      - roles
      - rolebindings
      verbs:
      - '*'
    - apiGroups:
      - apps
      resources:
      - controllerrevisions
      - statefulsets
      - deployments
      - replicasets
      verbs:
      - '*'
    - apiGroups:
      - deployment.hpe.com
      resources:
      - hpecpmodels
      verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
    - apiGroups:
      - kubedirector.hpe.com
      resources:
      - kubedirectorclusters
      - kubedirectorapps
      verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
      - patch
    - apiGroups:
      - hpecp.hpe.com
      resources:
      - hpecpfsmounts
      - hpecptenants
      verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
    - apiGroups:
      - networking.k8s.io
      resources:
      - networkpolicies
      - ingresses
      verbs:
      - '*'
    - apiGroups:
      - policy
      resources:
      - poddisruptionbudgets
      - poddisruptionbudgets/status
      verbs:
      - '*'
    - apiGroups:
      - metrics.k8s.io
      resources:
      - pods
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - authorization.k8s.io
      resources:
      - localsubjectaccessreviews
      verbs:
      - '*'
    - apiGroups:
      - autoscaling
      resources:
      - horizontalpodautoscalers
      verbs:
      - '*'
    - apiGroups:
      - batch
      resources:
      - cronjobs
      - jobs
      verbs:
      - '*'
    - apiGroups:
      - coordination.k8s.io
      resources:
      - leases
      verbs:
      - '*'
    - apiGroups:
      - discovery.k8s.io
      resources:
      - endpointslices
      verbs:
      - '*'
    - apiGroups:
      - snapshot.storage.k8s.io
      resources:
      - volumesnapshots
      verbs:
      - '*'
    - apiGroups:
      - sparkoperator.k8s.io
      resources:
      - scheduledsparkapplications
      - sparkapplications
      verbs:
      - '*'
    - apiGroups:
      - sparkoperator.hpe.com
      resources:
      - scheduledsparkapplications
      - sparkapplications
      verbs:
      - '*'
    - apiGroups:
      - machinelearning.seldon.io
      resources:
      - seldondeployments
      verbs:
      - '*'
    - apiGroups:
      - serving.kubeflow.org
      resources:
      - inferenceservices
      verbs:
      - '*'
    - apiGroups:
      - kubeflow.org
      resources:
      - pytorchjobs
      - tfjobs
      - experiments
      verbs:
      - '*'

Default Member RBACS

- roleID: member
    rules:
    - apiGroups:
      - ""
      resources:
      - pods
      - bindings
      - podtemplates
      - replicationcontrollers
      - resourcequotas
      - services
      - endpoints
      - persistentvolumeclaims
      - events
      - configmaps
      - pods/log
      - pods/portforward
      verbs:
      - '*'
    - apiGroups:
      - ""
      resources:
      - pods/exec
      verbs:
      - get
    - apiGroups:
      - ""
      resources:
      - secrets
      verbs:
      - get
      - create
      - update
      - patch
    - apiGroups:
      - apps
      resources:
      - controllerrevisions
      - daemonsets
      - statefulsets
      - deployments
      - replicasets
      verbs:
      - '*'
    - apiGroups:
      - deployment.hpe.com
      resources:
      - hpecpmodels
      verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
    - apiGroups:
      - kubedirector.hpe.com
      resources:
      - kubedirectorclusters
      verbs:
      - create
      - update
      - delete
      - get
      - list
      - watch
      - patch
    - apiGroups:
      - kubedirector.hpe.com
      resources:
      - kubedirectorapps
      verbs:
      - create
      - get
      - list
      - watch
    - apiGroups:
      - hpecp.hpe.com
      resources:
      - hpecpfsmounts
      - hpecptenants
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - networking.k8s.io
      resources:
      - networkpolicies
      - ingresses
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - policy
      resources:
      - poddisruptionbudgets
      - poddisruptionbudgets/status
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - metrics.k8s.io
      resources:
      - pods
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - authorization.k8s.io
      resources:
      - localsubjectaccessreviews
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - autoscaling
      resources:
      - horizontalpodautoscalers
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - batch
      resources:
      - cronjobs
      - jobs
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - coordination.k8s.io
      resources:
      - leases
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - discovery.k8s.io
      resources:
      - endpointslices
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - snapshot.storage.k8s.io
      resources:
      - volumesnapshots
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - sparkoperator.k8s.io
      resources:
      - scheduledsparkapplications
      - sparkapplications
      verbs:
      - create
      - update
      - get
      - list
      - watch
    - apiGroups:
      - sparkoperator.hpe.com
      resources:
      - scheduledsparkapplications
      - sparkapplications
      verbs:
      - create
      - update
      - get
      - list
      - watch
    - apiGroups:
      - machinelearning.seldon.io
      resources:
      - seldondeployments
      verbs:
      - '*'
    - apiGroups:
      - serving.kubeflow.org
      resources:
      - inferenceservices
      verbs:
      - '*'
    - apiGroups:
      - kubeflow.org
      resources:
      - pytorchjobs
      - tfjobs
      - experiments
      verbs:
      - '*'

Default SA (Service Account) RBACS

  - roleID: sa
    rules:
    - apiGroups:
      - ""
      resources:
      - pods
      - resourcequotas
      - serviceaccounts
      - services
      - endpoints
      - persistentvolumeclaims
      - events
      - configmaps
      - secrets
      - pods/exec
      verbs:
      - '*'
    - apiGroups:
      - rbac.authorization.k8s.io
      resources:
      - roles
      - rolebindings
      verbs:
      - '*'
    - apiGroups:
      - apps
      resources:
      - daemonsets
      - statefulsets
      - deployments
      - replicasets
      verbs:
      - '*'
    - apiGroups:
      - deployment.hpe.com
      resources:
      - hpecpmodels
      verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
    - apiGroups:
      - kubedirector.hpe.com
      resources:
      - kubedirectorclusters
      - kubedirectorapps
      verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
      - patch
    - apiGroups:
      - hpecp.hpe.com
      resources:
      - hpecpfsmounts
      - hpecptenants
      verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
    - apiGroups:
      - networking.k8s.io
      resources:
      - networkpolicies
      - ingresses
      verbs:
      - '*'