Required access to write destination data to container artifacts

To enable Tonic Structural to write destination data to container artifacts, the Structural service account requires specific levels of access to Kubernetes.

The required access applies both on a Kubernetes cluster where Structural is deployed and, for Docker instances, on the separate Kubernetes cluster that you install.

Rolebinding with required access

On the Kubernetes cluster, the Structural service account must be granted a rolebinding that grants the following access to the Structural Kubernetes cluster:

rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "delete", "create", "watch", "deletecollection"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["list", "delete", "create", "deletecollection"]

On a Kubernetes instance of Structural, you can allow Structural to create the rolebinding automatically. In the Structural Helm chart, the following setting determines whether to have Structural automatically create and grant the rolebinding. By default, the setting is true.

 rbac:
    create: true

If your access management method does not allow you to use this default configuration, then:

Change the setting to false.
Create and grant the rolebinding.

Additional rbac grant for a separate Kubernetes cluster

For a separate Kubernetes cluster, the environment setting CONTAINERIZATION_MANAGE_NAMESPACE indicates whether to allow Structural to manage the remote namespace.

If the setting is true, then you must add the following rbac grant to enable the Structural service account to manage namespaces.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tonic-containerization
rules:
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "list", "create", "delete", "patch"]
  - apiGroups: [""]
    resources: ["pods", "pods/log"]
    verbs: ["get", "list", "delete", "create", "watch", "deletecollection"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["list", "delete", "create", "deletecollection"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tonic-containerization
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tonic-containerization
subjects:
  # depends on how authentication to the cluster is established
  - kind: User
    name: # containerization user name
    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: # containerization group name
    apiGroup: rbac.authorization.k8s.io
  - kind: ServiceAccount
    name: # containerization service account name
    namespace: # namespace for service account in remote cluster

Last updated 1 month ago