You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/vendor/replicated-sdk-customizing.md
+45-51Lines changed: 45 additions & 51 deletions
Original file line number
Diff line number
Diff line change
@@ -10,22 +10,48 @@ This section describes role-based access control (RBAC) for the Replicated SDK,
10
10
11
11
It also describes how to enable the `replicated.minimalRBAC` field to use a less-permissive default RBAC role for the Replicated SDK version 1.7.0 and later.
12
12
13
-
### Enable `minimalRBAC`
13
+
### Default RBAC
14
14
15
-
With the Replicated SDK version 1.7.0 and later, you can enable the use of a less-permissive RBAC role for the SDK pod by setting the `replicated.minimalRBAC`Helm value in your Helm chart, as shown below:
15
+
This section describes the default RBAC role that is created for the Replicated SDK when the `replicated.minimalRBAC`field is false.
16
16
17
-
```yaml
18
-
# Helm chart values.yaml
17
+
The SDK creates default Role, RoleBinding, and ServiceAccount objects during installation. The default Role allows the SDK to get, list, and watch all resources in the namespace, to create Secrets, and to update the `replicated`, `replicated-instance-report`, `replicated-custom-app-metrics-report`, and `replicated-meta-data` Secrets:
19
18
20
-
replicated:
21
-
minimalRBAC: true
19
+
```yaml
20
+
apiVersion: rbac.authorization.k8s.io/v1
21
+
kind: Role
22
+
metadata:
23
+
name: replicated-role
24
+
rules:
25
+
- apiGroups:
26
+
- '*'
27
+
resources:
28
+
- '*'
29
+
verbs:
30
+
- 'get'
31
+
- 'list'
32
+
- 'watch'
33
+
- apiGroups:
34
+
- ''
35
+
resources:
36
+
- 'secrets'
37
+
verbs:
38
+
- 'create'
39
+
- apiGroups:
40
+
- ''
41
+
resources:
42
+
- 'secrets'
43
+
verbs:
44
+
- 'update'
45
+
resourceNames:
46
+
- replicated
47
+
- replicated-instance-report
48
+
- replicated-custom-app-metrics-report
49
+
- replicated-meta-data
22
50
```
23
51
24
-
For more information about the default RBAC role that is created when `minimalRBAC` is enabled, see [Default RBAC (`minimalRBAC: true`)](#default-rbac-true).
This section describes the default RBAC role that is created for the Replicated SDK when the `replicated.minimalRBAC` field is true. For the default RBAC when `minimalRBAC` is false, see [Default RBAC (`minimalRBAC: false`)](#default-rbac-false).
54
+
This section describes the default RBAC role that is created for the Replicated SDK when the `replicated.minimalRBAC` field is true in version 1.7.0 and later.
29
55
30
56
The permissions included in the default `minimalRBAC` Role vary depending on if you defined custom _status informers_ for your application. See one of the following sections for more information:
31
57
* [Default `minimalRBAC` Role Without Custom Status Informers](#default-no-status-informers)
@@ -53,6 +79,15 @@ If you did _not_ define custom status informers for your application, then the d
53
79
54
80
These permissions allow the SDK to discover the Helm chart secret for your application, parse it to determine what resources to monitor, and then monitor those resources.
55
81
82
+
To enable `minimalRBAC`, set the value in your Helm chart as shown below:
83
+
84
+
```yaml
85
+
# Helm chart values.yaml
86
+
87
+
replicated:
88
+
minimalRBAC: true
89
+
```
90
+
56
91
The following shows the default RBAC role for the SDK when `minimalRBAC` is enabled and no customer status informers are defined:
This section describes the default RBAC role that is created for the Replicated SDK when the `replicated.minimalRBAC` field is false.
267
-
268
-
The SDK creates default Role, RoleBinding, and ServiceAccount objects during installation. The default Role allows the SDK to get, list, and watch all resources in the namespace, to create Secrets, and to update the `replicated`, `replicated-instance-report`, `replicated-custom-app-metrics-report`, and `replicated-meta-data` Secrets:
269
-
270
-
```yaml
271
-
apiVersion: rbac.authorization.k8s.io/v1
272
-
kind: Role
273
-
metadata:
274
-
labels:
275
-
{{- include "replicated.labels" . | nindent 4 }}
276
-
name: replicated-role
277
-
rules:
278
-
- apiGroups:
279
-
- '*'
280
-
resources:
281
-
- '*'
282
-
verbs:
283
-
- 'get'
284
-
- 'list'
285
-
- 'watch'
286
-
- apiGroups:
287
-
- ''
288
-
resources:
289
-
- 'secrets'
290
-
verbs:
291
-
- 'create'
292
-
- apiGroups:
293
-
- ''
294
-
resources:
295
-
- 'secrets'
296
-
verbs:
297
-
- 'update'
298
-
resourceNames:
299
-
- replicated
300
-
- replicated-instance-report
301
-
- replicated-custom-app-metrics-report
302
-
- replicated-meta-data
303
-
```
304
-
305
299
### Install the SDK with Custom RBAC
306
300
307
301
This section describes how to install the SDK with custom RBAC permissions, include the minimum RBAC requirements for custom roles. To install with custom RBAC, you can use a custom ServiceAccount or a custom ClusterRole. See the sections below for more information.
0 commit comments