Skip to content

A tool for creating permissions for a team on a Kubernetes cluster.


Notifications You must be signed in to change notification settings


Repository files navigation


tesserarius is a collection of invoke tasks that wrap common tools for creating permissions for a team on the kubernetes cluster.


To install, use pip:

pip install tesserarius

Once installed, you can use it from within your project directory. The console script uses an etc/tesserarius/tesserarius.yaml file to configure itself.


The tesserarius tool is a python modules that uses invoke to make calls the kubectl and gcloud command-line tools. The following should be installed before running tesserarius:

  1. kubectl - Install the version matching the cluster you will be working.
  2. gcloud - Ensure you login using gcloud auth login
  3. python - It is recommended you use python environment running Python 3.7.4 or later


  1. Clone the repostory: git clone
  2. Initialise your python environment: echo -n 'tesserarius' > .python-version && pyenv virtualenv 3.7.4 tesserarius
  3. Install pip with the following command pip install -e .


There are two main config files used to run the tool. All operations reference contents of these config files. The first one is etc/tesserarius/tesserarius.yaml and the second one is used to keep track of the roles etc/tesserarius/roles.yaml

  • The tesserarius.yaml config files includes all the settings for running the tesserarius:

    version: 1
                    project: project-id
                    zone: europe-west1-c
                    cluster: staging
                    namespace: service-test-staging
                    project: project-id
                    zone: europe-west1-c
                    cluster: production
                    namespace: service-test
                    project: project-id
                    zone: europe-west1-c
                    cluster: staging
                    namespace: service-test-staging
                    project: project-id
                    zone: europe-west1-c
                    cluster: production
                    namespace: service-test
      - name: test-wale
            displayName: "test Service Backup Writer"
            description: "Service Account for the test Service on production to write to pgdata the bucket"
            role: extensions.bucket.writer
            environment: production
      - name: test-staging-wale
            displayName: "test Service Backup Writer"
            description: "Service Account for the test Service on staging to write to pgdata the bucket"
            role: extensions.bucket.writer
            environment: staging
      bindings: []
      - members:
        role: projects/project-id/roles/
    platform: {}
  • The roles.yaml file contains GCloud IAM role definitions:

      - name:
        description: 'Developer role for GCP Users. Based on: Kubernetes Engine Developer'
        stage: ALPHA
        title: 'Platform Team Developer'
        - example.test.permission
        removePermissions: []
        permissions: []
      - name: extensions.bucket.writer
        description: 'Role for Writing in GCS Buckets'
        stage: ALPHA
        title: 'Storage Bucket Writer'
        - example.test.permission
        removePermissions: []
        permissions: []


The commands have been categorized between platform (to work on the rehive-core cluster) and extensions (to work on the rehive-services cluster)

List of available commands:

Usage: tesserarius [--core-opts] <subcommand> [--subcommand-opts] ...

Core options:

  --complete                     Print tab-completion candidates for given
                                 parse remainder.
  --hide=STRING                  Set default value of run()'s 'hide' kwarg.
  --write-pyc                    Enable creation of .pyc files.
  -d, --debug                    Enable debug output.
  -e, --echo                     Echo executed commands before running.
  -f STRING, --config=STRING     Runtime configuration file to use.
  -h [STRING], --help[=STRING]   Show core or per-task help and exit.
  -l, --list                     List available tasks.
  -n STRING, --project=STRING    The project/package name being build
  -p, --pty                      Use a pty when executing shell commands.
  -V, --version                  Show version and exit.
  -w, --warn-only                Warn, instead of failing, when shell commands


  cluster.set                        Sets the active cluster
  extensions.bind                    Add IAM policy binding in rehive-services
  platform.bind                      Add IAM policy binding in rehive-services
  extensions.roles.create            Creates a Google Cloud IAM role on rehive-
  extensions.roles.delete            Deletes a Google Cloud IAM role on rehive-
  extensions.roles.update            Updates a Google Cloud IAM role on rehive-
  extensions.serviceaccount.bind     Binds a Google Cloud IAM Service Account
                                     on rehive-services
  extensions.serviceaccount.create   Creates a Google Cloud IAM Service Account
                                     on rehive-services
  extensions.serviceaccount.delete   Deletes a Google Cloud IAM Service Account
                                     on rehive-services
  extensions.serviceaccount.update   Updates a Google Cloud IAM Service Account
                                     on rehive-services
  extensions.serviceaccount.upload   Uploads a Google Cloud IAM Service Account
                                     private key to kubernetes namespace
  platform.roles.create              Creates a Google Cloud IAM role on rehive-
  platform.roles.delete              Deletes a Google Cloud IAM role on rehive-
  platform.roles.update              Updates a Google Cloud IAM role on rehive-
  platform.serviceaccount.bind       Binds a Google Cloud IAM Service Account
                                     on rehive-core
  platform.serviceaccount.create     Creates a Google Cloud IAM Service Account
                                     on rehive-core
  platform.serviceaccount.delete     Deletes a Google Cloud IAM Service Account
                                     on rehive-core
  platform.serviceaccount.update     Updates a Google Cloud IAM Service Account
                                     on rehive-core
  platform.serviceaccount.upload     Uploads a Google Cloud IAM Service Account
                                     private key to kubernetes namespace
  • tesserarius extensions.serviceaccount.create

    This command creates all the serviceaccounts listed in the config file under the extensions.serviceAccount list. It makes some checks to ensure that the names of the service account conform to the naming conventions set in for service account names (<service-name>((-staging)?)(-<role_name>)?):

    Usage: tesserarius [--core-opts] extensions.serviceaccount.create [--options] [other tasks here ...]
      Creates a Google Cloud IAM Service Account on rehive-services
      -n STRING, --name=STRING   The name of the service account to handle

    You may create a specific serviceaccount by using -n | --name flag followed by the name of the service account. Eg. tesserarius extensions.serviceaccount.create -n test-staging-media

  • tesserarius extensions.serviceaccounts.bind

    Creates or updates the role binding for the serviceaccount with the role in the extensions.serviceaccount[i].role for all serviceaccounts in the config:

    Usage: tesserarius [--core-opts] extensions.serviceaccount.bind [--options] [other tasks here ...]
      Binds a Google Cloud IAM Service Account on rehive-services
      -n STRING, --name=STRING   The name of the service account to handle

    You may bind a specific serviceaccount by using -n | --name flag followed by the name of the service account. Eg. tesserarius extensions.serviceaccount.bind -n test-staging-media

    The role referenced will be a custom role available under the rehive-services Google Cloud Project. It is advised to use the list of roles defined in the roles.yaml file.

  • tesserarius extensions.serviceaccounts.delete

    This command deletes all the serviceaccounts listed in the config file under the extensions.serviceAccount list:

    Usage: tesserarius [--core-opts] extensions.serviceaccount.delete [--options] [other tasks here ...]
      Deletes a Google Cloud IAM Service Account on rehive-services
      -n STRING, --name=STRING   The name of the service account to handle

    You may delete a specific serviceaccount by using -n | --name flag followed by the name of the service account. Eg. tesserarius extensions.serviceaccount.delete -n test-staging-media

  • tesserarius extensions.serviceaccount.upload

    This command uploads a serviceaccount key listed in the config file under the extensions.serviceAccount list. Eg tesserarius extensions.serviceaccount.upload service-product-media product gcloud:

    Usage: tesserarius [--core-opts] extensions.serviceaccount.upload [--options] [other tasks here ...]
      Uploads a Google Cloud IAM Service Account private key to
      k8s namespace as a generic secret on rehive-services
      -n STRING, --name=STRING     The name of the service account to upload
      -s STRING, --secret=STRING   The kubernetes secret name to upload the private
  • tesserarius extensions.serviceaccount.update

    This command updates all the serviceaccounts listed in the config file under the extensions.serviceAccount list. It makes some checks to ensure that the names of the service account conform to the naming conventions set in for service account names (<service-name>((-staging)?)(-<role_name>)?) It allows you to update an existing serviceaccount details:

                    Usage: tesserarius [--core-opts] extensions.serviceaccount.update [--options] [other tasks here ...]
                      Updates a Google Cloud IAM Service Account on rehive-services
                      -n STRING, --name=STRING   The name of the service account to handle
    You may update a specific serviceaccount by using ``-n | --name`` flag
    followed by the name of the service account.
    Eg. ``tesserarius extensions.serviceaccount.update -n test-staging-media``
  • tesserarius extensions.roles.create

    This command creates all the roles listed in the config file under the extensions.roles list. It makes some checks to ensure that the names of the service account conform to the naming conventions set in for service account names (extensions.<service-name>(.<actor>)?):

    Usage: tesserarius [--core-opts] extensions.roles.create [--options] [other tasks here ...]
      Creates a Google Cloud IAM role on rehive-services
      -n STRING, --name=STRING   The name of the role to handle
  • tesserarius extensions.roles.update

    This command updates all the roles listed in the config file under the extensions.roles list. It makes some checks to ensure that the names of the service account conform to the naming conventions set in for service account names (extensions.<service-name>(.<actor>)?):

    Usage: tesserarius [--core-opts] extensions.roles.update [--options] [other tasks here ...]
      Updates a Google Cloud IAM role on rehive-services
      -n STRING, --name=STRING   The name of the role to handle
  • tesserarius extensions.roles.delete

    This command deletes all the roles listed in the config file under the extensions.roles list. It makes some checks to ensure that the names of the service account conform to the naming conventions set in for service account names (extensions.<service-name>(.<actor>)):

    Usage: tesserarius [--core-opts] extensions.roles.delete [--options] [other tasks here ...]
      Deletes a Google Cloud IAM role on rehive-services
      -n STRING, --name=STRING   The name of the role to handle