Skip to content

Commit

Permalink
Updating RBAC doc to provide more information
Browse files Browse the repository at this point in the history 
Added Permissions list
Added GKE specific instructions
  • Loading branch information
@Nick-Harvey
Nick-Harvey committed Jan 30, 2019
1 parent 3c135f7 commit 985cf6c
Showing 1 changed file with 32 additions and 6 deletions.
38 changes: 32 additions & 6 deletions doc/deployment/rbac.md
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,23 @@
# RBAC

Pachyderm has support for Kubernetes Role-Based Access Controls (RBAC).
This support is a default part of all Pachyderm deployments, there's nothing
special for you to do as a user. You can see the ClusterRole which is created
for Pachyderm's service account by doing:
Pachyderm has support for Kubernetes Role-Based Access Controls (RBAC) and is a default part of all Pachyderm deployments. For most users, you shouldn't have any issues as Pachyderm takes care of setting all the RBAC permissions automatically. However, if you are deploying Pachyderm on a cluster that your company owns, security policies might not allow certain RBAC permissions by default. Therefore, it's suggested that you contact your Kubernetes admin and provide the following to ensure you don't encounter any permissions issues:

```shell
kubectl get clusterrole/pachyderm -o json
Pachyderm Permission Requirements
```
Rules: []rbacv1.PolicyRule{{
APIGroups: []string{""},
Verbs: []string{"get", "list", "watch"},
Resources: []string{"nodes", "pods", "pods/log", "endpoints"},
}, {
APIGroups: []string{""},
Verbs: []string{"get", "list", "watch", "create", "update", "delete"},
Resources: []string{"replicationcontrollers", "services"},
}, {
APIGroups: []string{""},
Verbs: []string{"get", "list", "watch", "create", "update", "delete"},
Resources: []string{"secrets"},
ResourceNames: []string{client.StorageSecretName},
}},
```

## RBAC and DNS
Expand Down Expand Up @@ -47,3 +58,18 @@ kubectl -n kube-system patch deploy/kube-dns -p '{"spec": {"template": {"spec":
this will tell Kubernetes that `kube-dns` should use the appropriate
ServiceAccount. Kubernetes creates the ServiceAccount, it just doesn't actually
use it.

## RBAC Permissions on GKE
If you're deploying Pachyderm on GKE and run into the following error:

```
Error from server (Forbidden): error when creating "STDIN": clusterroles.rbac.authorization.k8s.io "pachyderm" is forbidden: attempt to grant extra privileges:
```

Run the following and redeploy Pachyderm:

```
kubectl create clusterrolebinding cluster-admin-binding \ --clusterrole cluster-admin --user $(gcloud config get-value account)
```

0 comments on commit 985cf6c

Please sign in to comment.