diff --git a/README.md b/README.md index 885dc728c..9bd663c60 100644 --- a/README.md +++ b/README.md @@ -133,6 +133,29 @@ We can use the generated secret of the `postgres` robot user to connect to our ` $ export PGPASSWORD=$(kubectl --context minikube get secret postgres.acid-minimal-cluster.credentials -o 'jsonpath={.data.password}' | base64 -d) $ psql -U postgres +### Role-based access control for the operator + +The `manifests/operator-rbac.yaml` defines cluster roles and bindings needed for the operator to function under access control restrictions. To deploy the operator with this RBAC policy use: + +```bash +kubectl create -f manifests/configmap.yaml +kubectl create -f manifests/operator-rbac.yaml +kubectl create -f manifests/postgres-operator.yaml +kubectl create -f manifests/minimal-postgres-manifest.yaml +``` + +Note that the service account in `operator-rbac.yaml` is named `zalando-postgres-operator` and not +the `operator` default that is created in the `serviceaccount.yaml`. So you will have to change the `service_account_name` in the operator configmap and `serviceAccountName` in the postgres-operator deployment appropriately. + +This is done intentionally, as to avoid breaking those setups that +already work with the default `operator` account. In the future the operator should ideally be run under the +`zalando-postgres-operator` service account. + +The service account defined in `operator-rbac.yaml` acquires some privileges not really +used by the operator (i.e. we only need list and watch on configmaps), +this is also done intentionally to avoid breaking things if someone +decides to configure the same service account in the operator's +configmap to run postgres clusters. ### Configuration Options diff --git a/manifests/operator-rbac.yaml b/manifests/operator-rbac.yaml new file mode 100644 index 000000000..f659da615 --- /dev/null +++ b/manifests/operator-rbac.yaml @@ -0,0 +1,130 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: zalando-postgres-operator + namespace: default + +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: zalando-postgres-operator +rules: +- apiGroups: + - acid.zalan.do + resources: + - postgresqls + verbs: + - "*" +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - get +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get +- apiGroups: + - "" + resources: + - endpoints + verbs: + - create + - delete + - get +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - update + - delete + - get +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - delete + - get + - list +- apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - update # only for resizing AWS volumes +- apiGroups: + - "" + resources: + - pods + verbs: + - delete + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - patch +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - create + - delete + - get + - list + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - get + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: zalando-postgres-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: zalando-postgres-operator +subjects: +- kind: ServiceAccount +# note: the cluster role binding needs to be defined +# for every namespace the operator service account lives in. + name: zalando-postgres-operator + namespace: default