Given that Tanzu Build Service supports functionality most customers would likely want to restrict to only certain users, we encourage utilization of role-based access control (RBAC) as a best practice if Tanzu Build Service is to be broadly deployed to many users.

RBAC support in Tanzu Build Service

Tanzu Build Service is installed with 2 Kubernetes ClusterRoles that can be used for RBAC for Build Service users and admins:

  • build-service-user-role
  • build-service-admin-role

Build Service user role

This should be used for users who create images and builds.

To view the configuration for this role, run:

kubectl get clusterrole build-service-user-role -o yaml

To use this ClusterRole, create a RoleBinding with an existing user.

For example:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: my-build-service-user-role-binding
  namespace: my-build-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: build-service-user-role
subjects:
- kind: User
  name: my-user

Build Service admin role

Use this role for admin users who operate Tanzu Build Service.

To view the configuration for this role, run:

kubectl get clusterrole build-service-admin-role -o yaml

To use this ClusterRole, create a RoleBinding or ClusterRoleBinding with an existing user.

For example:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-build-service-admin-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: build-service-admin-role
subjects:
- kind: User
  name: my-cluster-wide-admin-user

Resources and RBAC used to support Openshift

To run services on openshift, they must satisfy a Security Context Constraint.

If no SCC exists that the service can satisfy, a custom SCC must be created to outline the allowed configurations of the service.

When installing on Openshift, TBS installs the following SCC:

```yaml
---
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  name: tbs-restricted-scc-with-seccomp
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
  - NET_BIND_SERVICE
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
  - ALL
runAsUser:
  type: MustRunAsNonRoot
seLinuxContext:
  type: MustRunAs
seccompProfiles:
  - runtime/default
supplementalGroups:
  type: RunAsAny
users: []
volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - persistentVolumeClaim
  - projected
  - secret
```

It also applies the following RBAC to allow TBS services to use the SCC:

```yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    apps.tanzu.vmware.com/aggregate-to-workload: "true"
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  name: system:tbs:scc:restricted-with-seccomp
rules:
  - apiGroups:
      - security.openshift.io
    resourceNames:
      - tbs-restricted-scc-with-seccomp
    resources:
      - securitycontextconstraints
    verbs:
      - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: system:tbs:scc:restricted-with-seccomp
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:tbs:scc:restricted-with-seccomp
subjects:
  - kind: ServiceAccount
    namespace: build-service
    name: dependency-updater-serviceaccount
  - kind: ServiceAccount
    namespace: build-service
    name: dependency-updater-controller-serviceaccount
  - kind: ServiceAccount
    namespace: build-service
    name: secret-syncer-service-account
  - kind: ServiceAccount
    namespace: build-service
    name: warmer-service-account
  - kind: ServiceAccount
    namespace: build-service
    name: build-service-daemonset-serviceaccount
  - kind: ServiceAccount
    namespace: cert-injection-webhook
    name: cert-injection-webhook-sa
  - kind: ServiceAccount
    namespace: kpack
    name: kp-default-repository-serviceaccount
  - kind: ServiceAccount
    namespace: kpack
    name: kpack-pull-lifecycle-serviceaccount
  - kind: ServiceAccount
    namespace: kpack
    name: controller
  - kind: ServiceAccount
    namespace: kpack
    name: webhook
  - kind: ServiceAccount
    namespace: stacks-operator-system
    name: controller-manager
```
check-circle-line exclamation-circle-line close-line
Scroll to top icon