Using kubernetes rbac.authorization.k8s.io with externaldns.k8s.io
TypeScriptWhen you want to manage access control in Kubernetes, you use the Role-Based Access Control (RBAC) objects provided by Kubernetes. These objects include
Role
,RoleBinding
,ClusterRole
, andClusterRoleBinding
. RBAC allows you to define roles with specific permissions and bind those roles to users, groups, or service accounts.The
externaldns.k8s.io
usually refers to an ExternalDNS setup within a Kubernetes cluster. ExternalDNS synchronizes exposed Kubernetes Services and Ingresses with DNS providers.To allow ExternalDNS to modify DNS records, you must grant it permissions typically by creating a service account for ExternalDNS, and then creating a
ClusterRole
and aClusterRoleBinding
that grants the necessary permissions to that service account.Here is a Pulumi TypeScript program that defines a
ClusterRole
with permissions to modify services and ingresses, and aClusterRoleBinding
to grant those permissions to a service account namedexternal-dns
. This example assumes you have Pulumi installed and configured to deploy to a Kubernetes cluster:import * as k8s from '@pulumi/kubernetes'; // Create a service account for ExternalDNS const externalDnsServiceAccount = new k8s.core.v1.ServiceAccount("external-dns", { metadata: { name: "external-dns", }, }, { provider: k8sProvider }); // Define a ClusterRole for ExternalDNS with necessary permissions const externalDnsClusterRole = new k8s.rbac.v1.ClusterRole("external-dns-cluster-role", { metadata: { name: "external-dns-cluster-role" }, rules: [ { apiGroups: [""], // "" indicates the core API group resources: ["services", "endpoints", "pods"], verbs: ["get", "watch", "list"], }, { apiGroups: ["extensions", "networking.k8s.io"], resources: ["ingresses"], verbs: ["get", "watch", "list"], }, { apiGroups: [""], resources: ["nodes"], verbs: ["list", "watch"], }, ], }, { provider: k8sProvider }); // Bind the ClusterRole to the service account const externalDnsClusterRoleBinding = new k8s.rbac.v1.ClusterRoleBinding("external-dns-role-binding", { metadata: { name: "external-dns-role-binding" }, subjects: [ { kind: "ServiceAccount", name: "external-dns", namespace: "default", }, ], roleRef: { kind: "ClusterRole", name: externalDnsClusterRole.metadata.name, apiGroup: "rbac.authorization.k8s.io", }, }, { provider: k8sProvider }); // Export the service account name export const serviceAccountName = externalDnsServiceAccount.metadata.name;
Let's break down each part of the code:
-
The
externalDnsServiceAccount
resource creates a service account namedexternal-dns
. This service account will be used by the ExternalDNS deployment. -
The
externalDnsClusterRole
resource defines aClusterRole
with the rules required for the ExternalDNS service to interact with Services, Ingresses, Endpoints, and Nodes. -
The
externalDnsClusterRoleBinding
resource creates aClusterRoleBinding
that grants the permissions defined in theexternalDnsClusterRole
to theexternal-dns
service account created earlier in thedefault
namespace.
Finally, the program exports the name of the service account as an output, which can be useful if other resources need to reference it.
Remember to replace
{ provider: k8sProvider }
with your actual Kubernetes provider configuration if necessary. If you are running Pulumi programmatically or using a kubeconfig file that Pulumi has access to, you may omit the provider reference altogether.For more detailed documentation about these resources, you can visit the official Pulumi documentation:
-