This topic describes how to use role-based access control (RBAC) with Tanzu Build Service.
Tanzu Build Service is installed with two Kubernetes ClusterRoles that can be used as RBAC roles:
build-service-user-rolebuild-service-admin-roleUse this role for users who create images and builds. To view the configuration for this role, run:
kubectl get clusterrole build-service-user-role -o yaml
To use this role, create a RoleBinding with an existing user.
For example:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: my-build-service-user-role-binding
namespace: my-build-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: build-service-user-role
subjects:
- kind: User
name: my-user
Use this role for admin users who operate Tanzu Build Service. To view the configuration for this role, run:
kubectl get clusterrole build-service-admin-role -o yaml
To use this role, create a RoleBinding or ClusterRoleBinding with an existing user.
For example:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: my-build-service-admin-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: build-service-admin-role
subjects:
- kind: User
name: my-cluster-wide-admin-user
To run services on Openshift, they must use a Security Context Constraint (SCC).
If no SCC exists that the service can use, create a custom SCC to outline the allowed configurations of the service.
When you install Tanzu Build Service on Openshift, the following SCC is installed:
```yaml
---
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
name: tbs-restricted-scc-with-seccomp
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
- NET_BIND_SERVICE
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: MustRunAsNonRoot
seLinuxContext:
type: MustRunAs
seccompProfiles:
- runtime/default
supplementalGroups:
type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
```
The following RBAC is also applied to allow Tanzu Build Service to use the SCC:
```yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
apps.tanzu.vmware.com/aggregate-to-workload: "true"
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
name: system:tbs:scc:restricted-with-seccomp
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- tbs-restricted-scc-with-seccomp
resources:
- securitycontextconstraints
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:tbs:scc:restricted-with-seccomp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:tbs:scc:restricted-with-seccomp
subjects:
- kind: ServiceAccount
namespace: build-service
name: dependency-updater-serviceaccount
- kind: ServiceAccount
namespace: build-service
name: dependency-updater-controller-serviceaccount
- kind: ServiceAccount
namespace: build-service
name: secret-syncer-service-account
- kind: ServiceAccount
namespace: build-service
name: warmer-service-account
- kind: ServiceAccount
namespace: build-service
name: build-service-daemonset-serviceaccount
- kind: ServiceAccount
namespace: cert-injection-webhook
name: cert-injection-webhook-sa
- kind: ServiceAccount
namespace: kpack
name: kp-default-repository-serviceaccount
- kind: ServiceAccount
namespace: kpack
name: kpack-pull-lifecycle-serviceaccount
- kind: ServiceAccount
namespace: kpack
name: controller
- kind: ServiceAccount
namespace: kpack
name: webhook
- kind: ServiceAccount
namespace: stacks-operator-system
name: controller-manager
```
