To ensure that the Tanzu Data Hub (TDH) control plane functions correctly within a Kubernetes environment, you need to configure the appropriate Role-Based Access Control (RBAC) permissions.
Below is a list of the required Kubernetes account permissions that TDH needs to support RBAC on its control planes and data planes.
Configuring TDH control plane permissions differs between TKGS and non-TKGS environments.
To support RBAC on TDH control planes on TKGS, you can configure permissions on vSphere objects and Kubernetes cluster in two ways:
TKGS:
Namespace
resource poolObject-based: For finer-grained control, create custom role objects directly on the control plane Kubernetes cluster as described in Object-Based Control Plane Permissions below.
TDH control planes on non-TKGS environments require the following permissions on vSphere objects in the Kubernetes cluster:
ClusteRole and ClusterRoleBinding objects:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tdh-cp-dp-cluster-role
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- update
- create
- delete
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- get
- list
- watch
- update
- create
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- update
- create
- delete
- deletecollection
- patch
- apiGroups:
- sql.tanzu.vmware.com
- traefik.io
- cert-manager.io
- rabbitmq.com
- rbac.authorization.k8s.io
- admissionregistration.k8s.io
- networking.k8s.io
- bitnami.com
resources:
- "*"
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tdhops-cluster-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tdh-cp-dp-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user>
Role and RoleBinding objects:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: mds-cp
name: tdh-cp-role
rules:
- apiGroups:
- ""
resources:
- pods
- pods/exec
- configmaps
- secrets
- services
- serviceaccounts
- events
- persistentvolumeclaims
- bindings
- resourcequotas
verbs:
- get
- list
- watch
- create
- update
- delete
- patch
- deletecollection
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- velero.io
resources:
- backuprepositories
- backups
- backupstoragelocations
- deletebackuprequests
- podvolumebackups
- podvolumerestores
- schedules
- restores
- volumesnapshotlocations
- serverstatusrequests
- datadownloads
- datauploads
- downloadrequests
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: mds-infra
name: tdh-infra-role
rules:
- apiGroups:
- ""
resources:
- pods
- pods/exec
- configmaps
- secrets
- services
- serviceaccounts
- events
- persistentvolumeclaims
- bindings
- resourcequotas
verbs:
- get
- list
- watch
- create
- update
- delete
- deletecollection
- patch
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- velero.io
resources:
- backuprepositories
- backups
- backupstoragelocations
- deletebackuprequests
- podvolumebackups
- podvolumerestores
- schedules
- restores
- volumesnapshotlocations
- serverstatusrequests
- datadownloads
- datauploads
- downloadrequests
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: kube-system
name: tdh-infra-update-dns-zone-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- update
- patch
- delete
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: kube-system
name: tdh-infra-update-dns-zone-deploy-role
rules:
- apiGroups:
- "apps"
resources:
- deployments
verbs:
- get
- list
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tdhcp:tdh-engg:user:vsphere.local:tdhops
namespace: mds-cp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tdh-cp-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:[email protected]>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tdhinfra:tdh-engg:user:vsphere.local:tdhops
namespace: mds-infra
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tdh-infra-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:[email protected]>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tdhdnszone:tdh-engg:user:vsphere.local:tdhops
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tdh-infra-update-dns-zone-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:[email protected]>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tdhdnszonedeploy:tdh-engg:user:vsphere.local:tdhops
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tdh-infra-update-dns-zone-deploy-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:[email protected]>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tdhdnszone:tdh-engg:user:vsphere.local:tdhops
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tdh-cp-dp-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:[email protected]>
---
Configuring TDH data plane permissions differs between TKGS and non-TKGS environments.
To support RBAC on TDH data planes on TKGS, you can configure permissions on vSphere objects and Kubernetes cluster in two ways:
For finer-grained control, create the following ClusterRole
object on the Supervisor cluster, and on the target data plane cluster create ClusterRole
and ClusterRoleBinding
objects as described in Object-Based Data Plane Permissions below:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tdhops-dp-sup-cluster-role
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch", "update", "create","delete"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: wcp:devops:cluster-view
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tdhops-dp-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:[email protected]>
TDH data planes on non-TKGS environments require the following permissions on vSphere ClusteRole and ClusterRoleBinding objects in the Kubernetes cluster:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tdhops-dp-cluster-role
rules:
- apiGroups:
- ""
resources:
- pods
- pods/exec
- configmaps
- secrets
- services
- serviceaccounts
- events
- persistentvolumeclaims
- bindings
- resourcequotas
verbs:
- get
- list
- watch
- create
- update
- delete
- patch
- deletecollection
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- update
- create
- delete
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- get
- list
- watch
- update
- create
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- update
- create
- delete
- deletecollection
- patch
- apiGroups:
- sql.tanzu.vmware.com
- traefik.io
- cert-manager.io
- rabbitmq.com
- rbac.authorization.k8s.io
- admissionregistration.k8s.io
- networking.k8s.io
- with.sql.tanzu.vmware.com
- velero.io
- externaldns.k8s.io
- monitoring.coreos.com
resources:
- "*"
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tdhdpops-cluster-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tdhops-dp-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:[email protected]>