Set up developer namespaces to use your installed packages

This topic tells you how to set up developer namespaces to use your installed packages.

You must first enable your namespace for Tanzu Application Platform Supply Chains and then optionally apply Kubernetes RBAC for additional non-admin user access. For more information, see:

1. Enable namespace for Supply Chains.
2. (Optional) Enable non-admin users access with Kubernetes RBAC.

Enable namespace for Supply Chains

The default Service Account in your developer namespace requires permission to your image repositories and RoleBindings for Tanzu Application Platform ClusterRoles. The Namespace Provisioner watches namespaces for a specific label, then takes action to enable the namespace.

To enable the Supply Chain on your namespace, run:

kubectl label namespace $YOUR-NAMESPACE apps.tanzu.vmware.com/tap-ns=""

Where YOUR-NAMESPACE is your developer namespace.

(Optional) Enable non-admin users access with Kubernetes RBAC

Follow these steps to enable non-admin users by using Kubernetes RBAC to submit jobs to the Supply Chain:

1. Choose either of the following options to give developers namespace-level access and view access to appropriate cluster-level resources:

   • Option 1: Use the Tanzu Application Platform RBAC CLI plug-in (beta).

     To use the tanzu rbac plug-in to grant app-viewer and app-editor roles to an identity provider group, run:

     tanzu rbac binding add -g GROUP-FOR-APP-VIEWER -n YOUR-NAMESPACE -r app-viewer
     tanzu rbac binding add -g GROUP-FOR-APP-EDITOR -n YOUR-NAMESPACE -r app-editor
     

     Where:

     • YOUR-NAMESPACE is the name you give to the developer namespace.
     • GROUP-FOR-APP-VIEWER is the user group from the upstream identity provider that requires access to app-viewer resources on the current namespace and cluster.
     • GROUP-FOR-APP-EDITOR is the user group from the upstream identity provider that requires access to app-editor resources on the current namespace and cluster.

     For more information about tanzu rbac, see Bind a user or group to a default role.

     VMware recommends creating a user group in your identity provider’s grouping system for each developer namespace and then adding the users accordingly.

     Depending on your identity provider, you might need to take further action to federate user groups appropriately with your cluster. For an example of how to set up Azure Active Directory (AD) with your cluster, see Integrating Azure Active Directory.

   • Option 2: Use the native Kubernetes YAML.

     To apply the RBAC policy, run:

     cat <<EOF | kubectl -n YOUR-NAMESPACE apply -f -
     apiVersion: rbac.authorization.k8s.io/v1
     kind: RoleBinding
     metadata:
       name: dev-permit-app-viewer
     roleRef:
       apiGroup: rbac.authorization.k8s.io
       kind: ClusterRole
       name: app-viewer
     subjects:
       - kind: Group
         name: GROUP-FOR-APP-VIEWER
         apiGroup: rbac.authorization.k8s.io
     ---
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
     metadata:
       name: YOUR-NAMESPACE-permit-app-viewer
     roleRef:
       apiGroup: rbac.authorization.k8s.io
       kind: ClusterRole
       name: app-viewer-cluster-access
     subjects:
       - kind: Group
         name: GROUP-FOR-APP-VIEWER
         apiGroup: rbac.authorization.k8s.io
     ---
     apiVersion: rbac.authorization.k8s.io/v1
     kind: RoleBinding
     metadata:
       name: dev-permit-app-editor
     roleRef:
       apiGroup: rbac.authorization.k8s.io
       kind: ClusterRole
       name: app-editor
     subjects:
       - kind: Group
         name: GROUP-FOR-APP-EDITOR
         apiGroup: rbac.authorization.k8s.io
     ---
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
     metadata:
       name: YOUR-NAMESPACE-permit-app-editor
     roleRef:
       apiGroup: rbac.authorization.k8s.io
       kind: ClusterRole
       name: app-editor-cluster-access
     subjects:
       - kind: Group
         name: GROUP-FOR-APP-EDITOR
         apiGroup: rbac.authorization.k8s.io
     EOF
     

     Where:

     • YOUR-NAMESPACE is the name you give to the developer namespace.
     • GROUP-FOR-APP-VIEWER is the user group from the upstream identity provider that requires access to app-viewer resources on the current namespace and cluster.
     • GROUP-FOR-APP-EDITOR is the user group from the upstream identity provider that requires access to app-editor resources on the current namespace and cluster.

     VMware recommends creating a user group in your identity provider’s grouping system for each developer namespace and then adding the users accordingly.

     Depending on your identity provider, you might need to take further action to federate user groups appropriately with your cluster. For an example of how to set up Azure Active Directory (AD) with your cluster, see Integrating Azure Active Directory.

     Rather than granting roles directly to individuals, VMware recommends using your identity provider’s user groups system to grant access to a group of developers. For an example of how to set up Azure AD with your cluster, see Integrating Azure Active Directory.

2. (Optional) Log in as a non-admin user, such as a developer, to see the effects of RBAC after the bindings are applied.

Next steps

• Install Tanzu Developer Tools for your VS Code