Permissions for RBAC on Kubernetes
To ensure that the Tanzu Data Hub (TDH) control plane functions correctly within a Kubernetes environment, you need to configure the appropriate Role-Based Access Control (RBAC) permissions.
Below is a list of the required Kubernetes account permissions that TDH needs to support RBAC on its control planes and data planes.
Control Plane Permissions
Configuring TDH control plane permissions differs between TKGS and non-TKGS environments.
TKGS Control Plane Permissions
To support RBAC on TDH control planes on TKGS, you can configure permissions on vSphere objects and Kubernetes cluster in two ways:
-
TKGS:
- Set Read-Only permissions on the
Namespaceresource pool - Set Can Edit permission on vSphere Namespace where the control plane will be deployed.
- This role allows the user to operate as Kubernetes cluster-admin.
- For more information, see Configure vSphere Namespace Permissions for vCenter Single Sign-On Users and Groups or Configure vSphere Namespace Permissions for External Identity Provider Users and Groups in the vSphere documentation.
- Set Read-Only permissions on the
-
Object-based: For finer-grained control, create custom role objects directly on the control plane Kubernetes cluster as described in Object-Based Control Plane Permissions below.
Object-Based Control Plane Permissions
TDH control planes on non-TKGS environments require the following permissions on vSphere objects in the Kubernetes cluster:
ClusteRole and ClusterRoleBinding objects:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tdh-cp-dp-cluster-role
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- update
- create
- delete
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- get
- list
- watch
- update
- create
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- update
- create
- delete
- deletecollection
- patch
- apiGroups:
- sql.tanzu.vmware.com
- traefik.io
- cert-manager.io
- rabbitmq.com
- rbac.authorization.k8s.io
- admissionregistration.k8s.io
- networking.k8s.io
- bitnami.com
resources:
- "*"
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tdhops-cluster-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tdh-cp-dp-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user>
Role and RoleBinding objects:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: mds-cp
name: tdh-cp-role
rules:
- apiGroups:
- ""
resources:
- pods
- pods/exec
- configmaps
- secrets
- services
- serviceaccounts
- events
- persistentvolumeclaims
- bindings
- resourcequotas
verbs:
- get
- list
- watch
- create
- update
- delete
- patch
- deletecollection
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- velero.io
resources:
- backuprepositories
- backups
- backupstoragelocations
- deletebackuprequests
- podvolumebackups
- podvolumerestores
- schedules
- restores
- volumesnapshotlocations
- serverstatusrequests
- datadownloads
- datauploads
- downloadrequests
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: mds-infra
name: tdh-infra-role
rules:
- apiGroups:
- ""
resources:
- pods
- pods/exec
- configmaps
- secrets
- services
- serviceaccounts
- events
- persistentvolumeclaims
- bindings
- resourcequotas
verbs:
- get
- list
- watch
- create
- update
- delete
- deletecollection
- patch
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- velero.io
resources:
- backuprepositories
- backups
- backupstoragelocations
- deletebackuprequests
- podvolumebackups
- podvolumerestores
- schedules
- restores
- volumesnapshotlocations
- serverstatusrequests
- datadownloads
- datauploads
- downloadrequests
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: kube-system
name: tdh-infra-update-dns-zone-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- update
- patch
- delete
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: kube-system
name: tdh-infra-update-dns-zone-deploy-role
rules:
- apiGroups:
- "apps"
resources:
- deployments
verbs:
- get
- list
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tdhcp:tdh-engg:user:vsphere.local:tdhops
namespace: mds-cp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tdh-cp-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:[email protected]>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tdhinfra:tdh-engg:user:vsphere.local:tdhops
namespace: mds-infra
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tdh-infra-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:[email protected]>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tdhdnszone:tdh-engg:user:vsphere.local:tdhops
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tdh-infra-update-dns-zone-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:[email protected]>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tdhdnszonedeploy:tdh-engg:user:vsphere.local:tdhops
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tdh-infra-update-dns-zone-deploy-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:[email protected]>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tdhdnszone:tdh-engg:user:vsphere.local:tdhops
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tdh-cp-dp-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:[email protected]>
---
Data Plane Permissions
Configuring TDH data plane permissions differs between TKGS and non-TKGS environments.
TKGS Data Plane Permissions
To support RBAC on TDH data planes on TKGS, you can configure permissions on vSphere objects and Kubernetes cluster in two ways:
- Set “Can Edit” permission on vSphere Namespace where data-plane shall be deployed.
- This role allows the user to operate as Kubernetes cluster-admin.
- For more information, see Configure vSphere Namespace Permissions for vCenter Single Sign-On Users and Groups or Configure vSphere Namespace Permissions for External Identity Provider Users and Groups in the vSphere documentation.
-
For finer-grained control, create the following
ClusterRoleobject on the Supervisor cluster, and on the target data plane cluster createClusterRoleandClusterRoleBindingobjects as described in Object-Based Data Plane Permissions below:--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: tdhops-dp-sup-cluster-role rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["get", "list", "watch", "update", "create","delete"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: wcp:devops:cluster-view roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: tdhops-dp-cluster-role subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: <user e.g. sso:[email protected]>
Object-Based Data Plane Permissions
TDH data planes on non-TKGS environments require the following permissions on vSphere ClusteRole and ClusterRoleBinding objects in the Kubernetes cluster:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tdhops-dp-cluster-role
rules:
- apiGroups:
- ""
resources:
- pods
- pods/exec
- configmaps
- secrets
- services
- serviceaccounts
- events
- persistentvolumeclaims
- bindings
- resourcequotas
verbs:
- get
- list
- watch
- create
- update
- delete
- patch
- deletecollection
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- update
- create
- delete
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- get
- list
- watch
- update
- create
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- update
- create
- delete
- deletecollection
- patch
- apiGroups:
- sql.tanzu.vmware.com
- traefik.io
- cert-manager.io
- rabbitmq.com
- rbac.authorization.k8s.io
- admissionregistration.k8s.io
- networking.k8s.io
- with.sql.tanzu.vmware.com
- velero.io
- externaldns.k8s.io
- monitoring.coreos.com
resources:
- "*"
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tdhdpops-cluster-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tdhops-dp-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:[email protected]>
