Define the operator RBAC (#234)
Note that the account here is named zalando-postgres-operator and not the 'operator' default that is created in the serviceaccount.yaml and also used by the operator configmap to create new postgres clusters. This is done intentionally, as to avoid breaking those setups that already work. Ideally, the operator should be run under the zalando-postgres-operator service account. However, the service account used to run Postgres clusters does not require all those privileges and is described at https://github.com/zalando/patroni/blob/master/kubernetes/patroni_k8s.yaml The service account defined here acquires some privileges not really used by the operator (i.e. we only need list and watch on configmaps), this is also done intentionally to avoid breaking things if someone decides to configure the same service account in the operator's configmap to run postgres clusters. Documentation and further testing by @zerg-junior
This commit is contained in:
Oleksii Kliukin
GitHub
parent
26db91c53e
commit
c44cd9e4e6
23
README.md
23
README.md
|
|
@ -133,6 +133,29 @@ We can use the generated secret of the `postgres` robot user to connect to our `
|
|||
$ export PGPASSWORD=$(kubectl --context minikube get secret postgres.acid-minimal-cluster.credentials -o 'jsonpath={.data.password}' | base64 -d)
|
||||
$ psql -U postgres
|
||||
|
||||
### Role-based access control for the operator
|
||||
|
||||
The `manifests/operator-rbac.yaml` defines cluster roles and bindings needed for the operator to function under access control restrictions. To deploy the operator with this RBAC policy use:
|
||||
|
||||
```bash
|
||||
kubectl create -f manifests/configmap.yaml
|
||||
kubectl create -f manifests/operator-rbac.yaml
|
||||
kubectl create -f manifests/postgres-operator.yaml
|
||||
kubectl create -f manifests/minimal-postgres-manifest.yaml
|
||||
```
|
||||
|
||||
Note that the service account in `operator-rbac.yaml` is named `zalando-postgres-operator` and not
|
||||
the `operator` default that is created in the `serviceaccount.yaml`. So you will have to change the `service_account_name` in the operator configmap and `serviceAccountName` in the postgres-operator deployment appropriately.
|
||||
|
||||
This is done intentionally, as to avoid breaking those setups that
|
||||
already work with the default `operator` account. In the future the operator should ideally be run under the
|
||||
`zalando-postgres-operator` service account.
|
||||
|
||||
The service account defined in `operator-rbac.yaml` acquires some privileges not really
|
||||
used by the operator (i.e. we only need list and watch on configmaps),
|
||||
this is also done intentionally to avoid breaking things if someone
|
||||
decides to configure the same service account in the operator's
|
||||
configmap to run postgres clusters.
|
||||
|
||||
### Configuration Options
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,130 @@
|
|||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: zalando-postgres-operator
|
||||
namespace: default
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: zalando-postgres-operator
|
||||
rules:
|
||||
- apiGroups:
|
||||
- acid.zalan.do
|
||||
resources:
|
||||
- postgresqls
|
||||
verbs:
|
||||
- "*"
|
||||
- apiGroups:
|
||||
- apiextensions.k8s.io
|
||||
resources:
|
||||
- customresourcedefinitions
|
||||
verbs:
|
||||
- create
|
||||
- get
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- endpoints
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
- get
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- nodes
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- persistentvolumeclaims
|
||||
verbs:
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- persistentvolumes
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- update # only for resizing AWS volumes
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- pods
|
||||
verbs:
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- services
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- patch
|
||||
- apiGroups:
|
||||
- apps
|
||||
resources:
|
||||
- statefulsets
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- namespaces
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups:
|
||||
- policy
|
||||
resources:
|
||||
- poddisruptionbudgets
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: zalando-postgres-operator
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: zalando-postgres-operator
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
# note: the cluster role binding needs to be defined
|
||||
# for every namespace the operator service account lives in.
|
||||
name: zalando-postgres-operator
|
||||
namespace: default
|
||||
Loading…
Reference in New Issue