1. Answers
  2. Using Kubernetes Rbac.authorization.k8s.io With Operator.tigera.io

Using Kubernetes Rbac.authorization.k8s.io With Operator.tigera.io

Introduction

In this guide, we will demonstrate how to set up Kubernetes RBAC (Role-Based Access Control) using the rbac.authorization.k8s.io API group along with the operator.tigera.io API for Calico. This setup will help you manage access control and network policies in your Kubernetes cluster using Pulumi.

Step-by-Step Explanation

Step 1: Install Pulumi and Configure AWS

  1. Install Pulumi CLI from Pulumi’s official website.
  2. Configure Pulumi to use AWS as the cloud provider by setting up your AWS credentials. You can follow the guide here.

Step 2: Create a New Pulumi Project

  1. Create a new directory for your project and navigate into it:
    mkdir pulumi-k8s-rbac-calico
cd pulumi-k8s-rbac-calico
  2. Initialize a new Pulumi project:
    pulumi new aws-typescript

Step 3: Install Required Pulumi Packages

  1. Install the Pulumi Kubernetes package:
    npm install @pulumi/kubernetes
  2. Install the Pulumi AWS package:
    npm install @pulumi/aws

Step 4: Define Kubernetes RBAC and Calico Resources

  1. Open the index.ts file in your project directory.
  2. Define the Kubernetes RBAC resources and Calico operator resources as shown below:
import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";

// Create a Kubernetes Namespace
const ns = new k8s.core.v1.Namespace("calico-namespace", {
    metadata: { name: "calico-system" },
});

// Create a ClusterRole for Calico
const calicoClusterRole = new k8s.rbac.v1.ClusterRole("calico-cluster-role", {
    metadata: { name: "calico-cluster-role" },
    rules: [
        {
            apiGroups: [""],
            resources: ["pods", "services", "endpoints", "nodes", "namespaces"],
            verbs: ["get", "list", "watch"],
        },
        {
            apiGroups: ["networking.k8s.io"],
            resources: ["networkpolicies"],
            verbs: ["get", "list", "watch"],
        },
        {
            apiGroups: ["operator.tigera.io"],
            resources: ["*"],
            verbs: ["*"],
        },
    ],
});

// Create a ClusterRoleBinding for Calico
const calicoClusterRoleBinding = new k8s.rbac.v1.ClusterRoleBinding("calico-cluster-role-binding", {
    metadata: { name: "calico-cluster-role-binding" },
    subjects: [
        {
            kind: "ServiceAccount",
            name: "calico-node",
            namespace: ns.metadata.name,
        },
    ],
    roleRef: {
        kind: "ClusterRole",
        name: calicoClusterRole.metadata.name,
        apiGroup: "rbac.authorization.k8s.io",
    },
});

// Create a ServiceAccount for Calico
const calicoServiceAccount = new k8s.core.v1.ServiceAccount("calico-service-account", {
    metadata: {
        name: "calico-node",
        namespace: ns.metadata.name,
    },
});

// Export the namespace name
export const namespaceName = ns.metadata.name;

Step 5: Deploy the Resources

  1. Run pulumi up to preview and deploy the changes.
  2. Confirm the deployment to create the resources in your Kubernetes cluster.

Conclusion

In this guide, we have successfully set up Kubernetes RBAC using the rbac.authorization.k8s.io API group and integrated it with the operator.tigera.io API for Calico. This setup ensures that you have fine-grained access control and network policies managed by Calico in your Kubernetes cluster.

Full Code Example

import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";

// Create a Kubernetes Namespace
const ns = new k8s.core.v1.Namespace("calico-namespace", {
    metadata: { name: "calico-system" },
});

// Create a ClusterRole for Calico
const calicoClusterRole = new k8s.rbac.v1.ClusterRole("calico-cluster-role", {
    metadata: { name: "calico-cluster-role" },
    rules: [
        {
            apiGroups: [""],
            resources: ["pods", "services", "endpoints", "nodes", "namespaces"],
            verbs: ["get", "list", "watch"],
        },
        {
            apiGroups: ["networking.k8s.io"],
            resources: ["networkpolicies"],
            verbs: ["get", "list", "watch"],
        },
        {
            apiGroups: ["operator.tigera.io"],
            resources: ["*"],
            verbs: ["*"],
        },
    ],
});

// Create a ClusterRoleBinding for Calico
const calicoClusterRoleBinding = new k8s.rbac.v1.ClusterRoleBinding("calico-cluster-role-binding", {
    metadata: { name: "calico-cluster-role-binding" },
    subjects: [
        {
            kind: "ServiceAccount",
            name: "calico-node",
            namespace: ns.metadata.name,
        },
    ],
    roleRef: {
        kind: "ClusterRole",
        name: calicoClusterRole.metadata.name,
        apiGroup: "rbac.authorization.k8s.io",
    },
});

// Create a ServiceAccount for Calico
const calicoServiceAccount = new k8s.core.v1.ServiceAccount("calico-service-account", {
    metadata: {
        name: "calico-node",
        namespace: ns.metadata.name,
    },
});

// Export the namespace name
export const namespaceName = ns.metadata.name;

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up