Role-Based Access Control

This part of the Best Practices Guide discusses the creation and formatting ofRBAC resources in chart manifests.

RBAC resources are:

  • ServiceAccount (namespaced)
  • Role (namespaced)
  • ClusterRole
  • RoleBinding (namespaced)
  • ClusterRoleBinding

YAML Configuration

RBAC and ServiceAccount configuration should happen under separate keys. Theyare separate things. Splitting these two concepts out in the YAML disambiguatesthem and make this clearer.

  1. rbac:
  2.   # Specifies whether RBAC resources should be created
  3.   create: true
  5. serviceAccount:
  6.   # Specifies whether a ServiceAccount should be created
  7.   create: true
  8.   # The name of the ServiceAccount to use.
  9.   # If not set and create is true, a name is generated using the fullname template
  10.   name:

This structure can be extended for more complex charts that require multipleServiceAccounts.

  1. serviceAccounts:
  2.   client:
  3.     create: true
  4.     name:
  5.   server: 
  6.     create: true
  7.     name:

RBAC Resources Should be Created by Default

rbac.create should be a boolean value controlling whether RBAC resources arecreated. The default should be true. Users who wish to manage RBAC accesscontrols themselves can set this value to false (in which case see below).

Using RBAC Resources

serviceAccount.name should set to the name of the ServiceAccount to be used byaccess-controlled resources created by the chart. If serviceAccount.create istrue, then a ServiceAccount with this name should be created. If the name isnot set, then a name is generated using the fullname template, IfserviceAccount.create is false, then it should not be created, but it shouldstill be associated with the same resources so that manually-created RBACresources created later that reference it will function correctly. IfserviceAccount.create is false and the name is not specified, then the defaultServiceAccount is used.

The following helper template should be used for the ServiceAccount.

  1. {{/*
  2. Create the name of the service account to use
  3. */}}
  4. {{- define "mychart.serviceAccountName" -}}
  5. {{- if .Values.serviceAccount.create -}}
  6.     {{ default (include "mychart.fullname" .) .Values.serviceAccount.name }}
  7. {{- else -}}
  8.     {{ default "default" .Values.serviceAccount.name }}
  9. {{- end -}}
  10. {{- end -}}