Skip to content

Update docs with RBAC for raw & keda remote deploys #3427

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
knative-prow merged 2 commits into from
Feb 11, 2026
Merged

Update docs with RBAC for raw & keda remote deploys #3427

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a5ee08d
Update docs with RBAC for raw & keda remote deploys
creydr Feb 9, 2026
94cea86
Add option with permissions for all deployers
creydr Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 88 additions & 2 deletions docs/building-functions/on_cluster_build.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,88 @@ kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previou
```

## Enabling a namespace to run Function related Tekton Pipelines
1. Add permission to deploy on Knative to `default` Service Account: (This is not needed on OpenShift)

Set up RBAC permissions for the `default` Service Account to deploy Functions: (This is not needed on OpenShift).
Depending on the to be used deployers, different permissions are required:

### Option A: Permissions for all deployers (knative, raw and Keda)

If you plan to use all deployers, you need the full set of permissions.

```bash
export NAMESPACE=<INSERT_YOUR_NAMESPACE>

kubectl create role func-deployer \
--verb=get,list,create,update,delete \
--resource=deployments.apps,replicasets.apps,pods,services,httpscaledobjects.http.keda.sh \
--namespace=$NAMESPACE

kubectl create rolebinding func-deployer-binding \
--role=func-deployer \
--serviceaccount=$NAMESPACE:default \
--namespace=$NAMESPACE

kubectl create clusterrolebinding $NAMESPACE:knative-eventing-namespaced-admin \
--clusterrole=knative-eventing-namespaced-admin \
--serviceaccount=$NAMESPACE:default

kubectl create clusterrolebinding $NAMESPACE:knative-serving-namespaced-admin \
--clusterrole=knative-serving-namespaced-admin \
--serviceaccount=$NAMESPACE:default
```

### Option B: Permissions only needed for the raw Deployer
```bash
export NAMESPACE=<INSERT_YOUR_NAMESPACE>

kubectl create clusterrolebinding $NAMESPACE:knative-eventing-namespaced-admin \
--clusterrole=knative-eventing-namespaced-admin \
--serviceaccount=$NAMESPACE:default

kubectl create role func-deployer \
--verb=get,list,create,update,delete \
--resource=deployments.apps,replicasets.apps,pods,services \
--namespace=$NAMESPACE

kubectl create rolebinding func-deployer-binding \
--role=func-deployer \
--serviceaccount=$NAMESPACE:default \
--namespace=$NAMESPACE
```

### Option C: Permissions only needed for the KEDA Deployer

Same as for the raw deployer, but additionally permissions for the `HTTPScaledObjects`:

```bash
export NAMESPACE=<INSERT_YOUR_NAMESPACE>

kubectl create clusterrolebinding $NAMESPACE:knative-eventing-namespaced-admin \
--clusterrole=knative-eventing-namespaced-admin \
--serviceaccount=$NAMESPACE:default

kubectl create role func-deployer \
--verb=get,list,create,update,delete \
--resource=deployments.apps,replicasets.apps,pods,services,httpscaledobjects.http.keda.sh \
--namespace=$NAMESPACE

kubectl create rolebinding func-deployer-binding \
--role=func-deployer \
--serviceaccount=$NAMESPACE:default \
--namespace=$NAMESPACE
```

### Option D: Permissions only needed for the Knative Deployer
```bash
export NAMESPACE=<INSERT_YOUR_NAMESPACE>

kubectl create clusterrolebinding $NAMESPACE:knative-eventing-namespaced-admin \
--clusterrole=knative-eventing-namespaced-admin \
--serviceaccount=$NAMESPACE:default

kubectl create clusterrolebinding $NAMESPACE:knative-serving-namespaced-admin \
--clusterrole=knative-serving-namespaced-admin --serviceaccount=$NAMESPACE:default
--clusterrole=knative-serving-namespaced-admin \
--serviceaccount=$NAMESPACE:default
```

## Building a Function on Cluster
Expand Down Expand Up @@ -72,6 +149,15 @@ Please provide credentials for image registry used by Pipeline.
1. In each namespace where Pipelines and Functions were deployed, uninstall following resources:
```bash
export NAMESPACE=<INSERT_YOUR_NAMESPACE>

# Remove the Function deployer role and binding (if created for raw or keda deployer)
kubectl delete rolebinding func-deployer-binding --namespace=$NAMESPACE
kubectl delete role func-deployer --namespace=$NAMESPACE

# Remove the Knative Eventing cluster role binding (if created)
kubectl delete clusterrolebinding $NAMESPACE:knative-eventing-namespaced-admin

# Remove the Knative Serving cluster role binding (if created for knative deployer)
kubectl delete clusterrolebinding $NAMESPACE:knative-serving-namespaced-admin

```
Expand Down
Loading