Using kubernetes rbac.authorization.k8s.io with apiextensions.k8s.io
TypeScriptIn Kubernetes, RBAC (Role-Based Access Control) is a method of regulating access to resources within a Kubernetes cluster. It allows you to define roles with specific permissions, like reading or writing to certain Kubernetes resources, and bind those roles to users, groups, or service accounts.
RBAC roles can be set at the cluster level (using
ClusterRole
andClusterRoleBinding
resources) or within a particular namespace (usingRole
andRoleBinding
resources).When working with Custom Resource Definitions (CRDs) provided by the
apiextensions.k8s.io
API, you might want to define RBAC roles that allow manipulating these custom resources. For example, you could create aRole
that lets a service account read a custom resource within a specific namespace.Below, I'll demonstrate how to use Pulumi to create a
Role
in Kubernetes which grants read access to a hypothetical custom resource, 'MyCustomResource', that is defined within a specific namespace.The program will include:
- A CRD (CustomResourceDefinition) to define a hypothetical 'MyCustomResource'.
- A
Role
that specifies read-only access (get
,list
, andwatch
verbs) to 'MyCustomResource'. - A
RoleBinding
that binds theRole
to a service account in the namespace.
import * as k8s from "@pulumi/kubernetes"; // Create a CustomResourceDefinition for `MyCustomResource`. const myCustomResourceCrd = new k8s.apiextensions.v1.CustomResourceDefinition("myCustomResourceCrd", { metadata: { name: "mycustomresources.example.com", }, spec: { group: "example.com", versions: [{ name: "v1alpha1", served: true, storage: true, schema: { openAPIV3Schema: { type: "object", properties: { spec: { type: "object", properties: { message: { type: "string", }, }, }, }, }, }, }], scope: "Namespaced", names: { plural: "mycustomresources", singular: "mycustomresource", kind: "MyCustomResource", shortNames: ["mcr"], }, }, }); // Create a Role that gives read access to `MyCustomResource` within a particular namespace. const readMyCustomResourceRole = new k8s.rbac.v1.Role("readMyCustomResourceRole", { metadata: { // Replace with the namespace where your CRD will be accessed. namespace: "my-namespace", }, rules: [ { apiGroups: ["example.com"], resources: ["mycustomresources"], verbs: ["get", "list", "watch"], }, ], }); // Bind the read access Role to a service account within the namespace. const readMyCustomResourceRoleBinding = new k8s.rbac.v1.RoleBinding("readMyCustomResourceRoleBinding", { metadata: { // The namespace must match the namespace of the Role. namespace: readMyCustomResourceRole.metadata.apply(m => m.namespace), }, subjects: [ { kind: "ServiceAccount", // Replace with the name of the service account that needs read access. name: "my-service-account", namespace: readMyCustomResourceRole.metadata.apply(m => m.namespace), }, ], roleRef: { kind: "Role", name: readMyCustomResourceRole.metadata.apply(m => m.name), apiGroup: "rbac.authorization.k8s.io", }, }); // Export the name of the CRD and RoleBinding for reference. export const crdName = myCustomResourceCrd.metadata.name; export const roleBindingName = readMyCustomResourceRoleBinding.metadata.name;
This TypeScript program uses Pulumi to interact with Kubernetes RBAC and the apiextensions API. Specifically, it defines:
- The
myCustomResourceCrd
: A custom resource definition for 'MyCustomResource' which dictates the schema for the custom resource. - The
readMyCustomResourceRole
: A role with limited permissions just to read 'MyCustomResource'. - The
readMyCustomResourceRoleBinding
: A role binding that attaches the read role to a specified service account.
Make sure to replace
"my-namespace"
with the actual namespace you wish to use, and"my-service-account"
with the name of the service account that should receive the permissions defined in the role.Please ensure you have Pulumi installed along with the necessary configuration for your Kubernetes cluster. When you run this Pulumi program with
pulumi up
, the policy will be applied to your cluster, and the service account will have read access to 'MyCustomResource' within the specified namespace.