1. Using kubernetes rbac.authorization.k8s.io with apiextensions.k8s.io

    TypeScript

    In Kubernetes, RBAC (Role-Based Access Control) is a method of regulating access to resources within a Kubernetes cluster. It allows you to define roles with specific permissions, like reading or writing to certain Kubernetes resources, and bind those roles to users, groups, or service accounts.

    RBAC roles can be set at the cluster level (using ClusterRole and ClusterRoleBinding resources) or within a particular namespace (using Role and RoleBinding resources).

    When working with Custom Resource Definitions (CRDs) provided by the apiextensions.k8s.io API, you might want to define RBAC roles that allow manipulating these custom resources. For example, you could create a Role that lets a service account read a custom resource within a specific namespace.

    Below, I'll demonstrate how to use Pulumi to create a Role in Kubernetes which grants read access to a hypothetical custom resource, 'MyCustomResource', that is defined within a specific namespace.

    The program will include:

    • A CRD (CustomResourceDefinition) to define a hypothetical 'MyCustomResource'.
    • A Role that specifies read-only access (get, list, and watch verbs) to 'MyCustomResource'.
    • A RoleBinding that binds the Role to a service account in the namespace.
    import * as k8s from "@pulumi/kubernetes"; // Create a CustomResourceDefinition for `MyCustomResource`. const myCustomResourceCrd = new k8s.apiextensions.v1.CustomResourceDefinition("myCustomResourceCrd", { metadata: { name: "mycustomresources.example.com", }, spec: { group: "example.com", versions: [{ name: "v1alpha1", served: true, storage: true, schema: { openAPIV3Schema: { type: "object", properties: { spec: { type: "object", properties: { message: { type: "string", }, }, }, }, }, }, }], scope: "Namespaced", names: { plural: "mycustomresources", singular: "mycustomresource", kind: "MyCustomResource", shortNames: ["mcr"], }, }, }); // Create a Role that gives read access to `MyCustomResource` within a particular namespace. const readMyCustomResourceRole = new k8s.rbac.v1.Role("readMyCustomResourceRole", { metadata: { // Replace with the namespace where your CRD will be accessed. namespace: "my-namespace", }, rules: [ { apiGroups: ["example.com"], resources: ["mycustomresources"], verbs: ["get", "list", "watch"], }, ], }); // Bind the read access Role to a service account within the namespace. const readMyCustomResourceRoleBinding = new k8s.rbac.v1.RoleBinding("readMyCustomResourceRoleBinding", { metadata: { // The namespace must match the namespace of the Role. namespace: readMyCustomResourceRole.metadata.apply(m => m.namespace), }, subjects: [ { kind: "ServiceAccount", // Replace with the name of the service account that needs read access. name: "my-service-account", namespace: readMyCustomResourceRole.metadata.apply(m => m.namespace), }, ], roleRef: { kind: "Role", name: readMyCustomResourceRole.metadata.apply(m => m.name), apiGroup: "rbac.authorization.k8s.io", }, }); // Export the name of the CRD and RoleBinding for reference. export const crdName = myCustomResourceCrd.metadata.name; export const roleBindingName = readMyCustomResourceRoleBinding.metadata.name;

    This TypeScript program uses Pulumi to interact with Kubernetes RBAC and the apiextensions API. Specifically, it defines:

    • The myCustomResourceCrd: A custom resource definition for 'MyCustomResource' which dictates the schema for the custom resource.
    • The readMyCustomResourceRole: A role with limited permissions just to read 'MyCustomResource'.
    • The readMyCustomResourceRoleBinding: A role binding that attaches the read role to a specified service account.

    Make sure to replace "my-namespace" with the actual namespace you wish to use, and "my-service-account" with the name of the service account that should receive the permissions defined in the role.

    Please ensure you have Pulumi installed along with the necessary configuration for your Kubernetes cluster. When you run this Pulumi program with pulumi up, the policy will be applied to your cluster, and the service account will have read access to 'MyCustomResource' within the specified namespace.