search
Tonic.ai

Required access to write destination data to a container repository

To enable Tonic Structural to write destination data to a container repository, the Structural service account requires specific levels of access to Kubernetes.

The required access applies both on a Kubernetes cluster where Structural is deployed and, for Docker instances, on the separate Kubernetes cluster that you install.

hashtag
Rolebinding with required access

On the Kubernetes cluster, the Structural service account must be granted a rolebinding that grants the following access to the Structural Kubernetes cluster:

rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "delete", "create", "watch", "deletecollection"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["list", "delete", "create", "deletecollection"]

On a Kubernetes instance of Structural, you can allow Structural to create the rolebinding automatically. In the Structural Helm chart, the following setting determines whether to have Structural automatically create and grant the rolebinding. By default, the setting is true.

 rbac:
    create: true

If your access management method does not allow you to use this default configuration, then:

  1. Change the setting to false.

  2. Create and grant the rolebinding.

hashtag
Additional rbac grant for a separate Kubernetes cluster

For a separate Kubernetes cluster, the environment setting CONTAINERIZATION_MANAGE_NAMESPACE indicates whether to allow Structural to manage the remote namespace.

If the setting is true, then you must add the following rbac grant to enable the Structural service account to manage namespaces.

Last updated

Was this helpful?