Kubernetes Tenant RBAC
Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise.
The following three key elements are involved in Kubernetes RBAC:
- Subjects: The set of users and processes that want to access the Kubernetes API.
- Resources: The set of Kubernetes API Objects available in the cluster. Examples include Pods, Deployments, Services, Nodes, and PersistentVolumes, among others.
- Verbs: The set of operations that can be executed to the resources above. Different verbs are available (examples: get, watch, create, delete, etc.), but ultimately all of them are Create, Read, Update or Delete (CRUD) operations.
With these three elements in mind, the key idea of RBAC is the Context subjects, API resources, and operations. In other words, we want to specify which operations can be executed over a set of resources for a given user.
Creating a new Kubernetes tenant via the web interface creates a corresponding set of roles and role bindings within the namespace of that new tenant. Each role is assigned a set of resources and allowed CRUD operations. Creating a Kubernetes tenant creates the following roles:
- Administrator. See Default Admin RBACS.
- Member. See Default Member RBACS.
- SA (not used). See Default SA (Service Account) RBACS.
Kubernetes roles and assigned resources/operations are stored in the file /opt/bluedata/common-install/bd_mgmt/bd_mgmt_default_tenant_k8s.cfg on the
host. Platform Administrator users may add, edit, or delete roles by editing this file,
which will change the allowed defaults for all Kubernetes tenants created after the
changes have been made.
NOTE
Adding, editing, and/or deleting roles/privileges by making
changes to
bd_mgmt_default_tenant_k8s.cfg
does not affect Kubernetes tenants that were created prior to making
the changes.
If you need to edit the RBACs for a running Kubernetes tenant:
- Access the Kubernetes tenant as either the Platform Administrator or the Kubernetes Cluster Administrator for the cluster that contains the affected tenant.
-
Execute this command on any Kubernetes master node:
kubectl edit hpecptenants.hpecp.hpe.com -n hpecp - Make and then save your desired changes.
Default Admin RBACS
- roleID: admin
rules:
- apiGroups:
- ""
resources:
- bindings
- podtemplates
- replicationcontrollers
- pods
- resourcequotas
- services
- serviceaccounts
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
- pods/exec
- pods/log
- pods/portforward
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- '*'
- apiGroups:
- apps
resources:
- controllerrevisions
- statefulsets
- deployments
- replicasets
verbs:
- '*'
- apiGroups:
- deployment.hpe.com
resources:
- hpecpmodels
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- kubedirector.hpe.com
resources:
- kubedirectorclusters
- kubedirectorapps
verbs:
- get
- list
- watch
- create
- update
- delete
- patch
- apiGroups:
- hpecp.hpe.com
resources:
- hpecpfsmounts
- hpecptenants
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
- ingresses
verbs:
- '*'
- apiGroups:
- policy
resources:
- poddisruptionbudgets
- poddisruptionbudgets/status
verbs:
- '*'
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- authorization.k8s.io
resources:
- localsubjectaccessreviews
verbs:
- '*'
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- '*'
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- '*'
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- '*'
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- '*'
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- '*'
- apiGroups:
- sparkoperator.k8s.io
resources:
- scheduledsparkapplications
- sparkapplications
verbs:
- '*'
- apiGroups:
- sparkoperator.hpe.com
resources:
- scheduledsparkapplications
- sparkapplications
verbs:
- '*'
- apiGroups:
- machinelearning.seldon.io
resources:
- seldondeployments
verbs:
- '*'
- apiGroups:
- serving.kubeflow.org
resources:
- inferenceservices
verbs:
- '*'
- apiGroups:
- kubeflow.org
resources:
- pytorchjobs
- tfjobs
- experiments
verbs:
- '*'Default Member RBACS
- roleID: member
rules:
- apiGroups:
- ""
resources:
- pods
- bindings
- podtemplates
- replicationcontrollers
- resourcequotas
- services
- endpoints
- persistentvolumeclaims
- events
- configmaps
- pods/log
- pods/portforward
verbs:
- '*'
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
- update
- patch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- statefulsets
- deployments
- replicasets
verbs:
- '*'
- apiGroups:
- deployment.hpe.com
resources:
- hpecpmodels
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- kubedirector.hpe.com
resources:
- kubedirectorclusters
verbs:
- create
- update
- delete
- get
- list
- watch
- patch
- apiGroups:
- kubedirector.hpe.com
resources:
- kubedirectorapps
verbs:
- create
- get
- list
- watch
- apiGroups:
- hpecp.hpe.com
resources:
- hpecpfsmounts
- hpecptenants
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
- poddisruptionbudgets/status
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- authorization.k8s.io
resources:
- localsubjectaccessreviews
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- get
- list
- watch
- apiGroups:
- sparkoperator.k8s.io
resources:
- scheduledsparkapplications
- sparkapplications
verbs:
- create
- update
- get
- list
- watch
- apiGroups:
- sparkoperator.hpe.com
resources:
- scheduledsparkapplications
- sparkapplications
verbs:
- create
- update
- get
- list
- watch
- apiGroups:
- machinelearning.seldon.io
resources:
- seldondeployments
verbs:
- '*'
- apiGroups:
- serving.kubeflow.org
resources:
- inferenceservices
verbs:
- '*'
- apiGroups:
- kubeflow.org
resources:
- pytorchjobs
- tfjobs
- experiments
verbs:
- '*'Default SA (Service Account) RBACS
- roleID: sa
rules:
- apiGroups:
- ""
resources:
- pods
- resourcequotas
- serviceaccounts
- services
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
- pods/exec
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- '*'
- apiGroups:
- apps
resources:
- daemonsets
- statefulsets
- deployments
- replicasets
verbs:
- '*'
- apiGroups:
- deployment.hpe.com
resources:
- hpecpmodels
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- kubedirector.hpe.com
resources:
- kubedirectorclusters
- kubedirectorapps
verbs:
- get
- list
- watch
- create
- update
- delete
- patch
- apiGroups:
- hpecp.hpe.com
resources:
- hpecpfsmounts
- hpecptenants
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
- ingresses
verbs:
- '*'