This topic describes how to use role-based access control (RBAC) with Tanzu Build Service (commonly known as TBS).
RBAC support in Tanzu Build Service
Tanzu Build Service is installed with two Kubernetes ClusterRoles that can be used as RBAC roles:
build-service-user-rolebuild-service-admin-role
Build Service user role
Use this role for users who create images and builds. To view the configuration for this role, run:
kubectl get clusterrole build-service-user-role -o yaml
To use this role, create a RoleBinding with an existing user.
For example:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: my-build-service-user-role-binding
namespace: my-build-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: build-service-user-role
subjects:
- kind: User
name: my-user
Build Service admin role
Use this role for admin users who operate Tanzu Build Service. To view the configuration for this role, run:
kubectl get clusterrole build-service-admin-role -o yaml
To use this role, create a RoleBinding or ClusterRoleBinding with an existing user.
For example:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: my-build-service-admin-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: build-service-admin-role
subjects:
- kind: User
name: my-cluster-wide-admin-user
Resources and RBAC used to support Red Hat Openshift
To run services on Openshift, they must use a Security Context Constraint (SCC).
If no SCC exists that the service can use, create a custom SCC to outline the allowed configurations of the service.
When you install Tanzu Build Service on Openshift, the following SCC is installed:
```yaml
---
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
name: tbs-restricted-scc-with-seccomp
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
- NET_BIND_SERVICE
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: MustRunAsNonRoot
seLinuxContext:
type: MustRunAs
seccompProfiles:
- runtime/default
supplementalGroups:
type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
```
The following RBAC is also applied to allow Tanzu Build Service to use the SCC:
```yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
apps.tanzu.vmware.com/aggregate-to-workload: "true"
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
name: system:tbs:scc:restricted-with-seccomp
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- tbs-restricted-scc-with-seccomp
resources:
- securitycontextconstraints
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:tbs:scc:restricted-with-seccomp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:tbs:scc:restricted-with-seccomp
subjects:
- kind: ServiceAccount
namespace: build-service
name: dependency-updater-serviceaccount
- kind: ServiceAccount
namespace: build-service
name: dependency-updater-controller-serviceaccount
- kind: ServiceAccount
namespace: build-service
name: secret-syncer-service-account
- kind: ServiceAccount
namespace: build-service
name: warmer-service-account
- kind: ServiceAccount
namespace: build-service
name: build-service-daemonset-serviceaccount
- kind: ServiceAccount
namespace: cert-injection-webhook
name: cert-injection-webhook-sa
- kind: ServiceAccount
namespace: kpack
name: kp-default-repository-serviceaccount
- kind: ServiceAccount
namespace: kpack
name: kpack-pull-lifecycle-serviceaccount
- kind: ServiceAccount
namespace: kpack
name: controller
- kind: ServiceAccount
namespace: kpack
name: webhook
- kind: ServiceAccount
namespace: stacks-operator-system
name: controller-manager
```
