版本:v1.3
ServiceAccount Integration for RBAC
KubeVela applies Components and runs Workflow with the controller service account, which allows you to manage components across namespaces.
However, in the soft-multitenancy environments, such as Namespaces as a Service, you may need to limit Applications to allow applying components or running workflows in the authorized namespaces only.
You can limit by setting app.oam.dev/service-account-name
annotation with the specific ServiceAccount name. If defined, KubeVela will use the given ServiceAccount instead of the controller ServiceAccount when applying Components and running Workflow.
Let’s assume that we have two namespaces:
demo-service
: for managing applicationdemo-service-prod
: to deploy components for the production environment
In this example, we will make the Application use a specific ServiceAccount instead of the controller ServiceAccount.
Create deployer
ServiceAccount in demo-service
namespace.
apiVersion: v1
kind: ServiceAccount
metadata:
name: deployer
namespace: demo-service
Allow deployer
ServiceAccount in demo-service
to manage Deployments in demo-service-prod
by creating Role/RoleBinding.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: deployments:admin
namespace: demo-service-prod
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: deployments:admin
namespace: demo-service-prod
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: deployments:admin
subjects:
- kind: ServiceAccount
name: deployer
namespace: demo-service
apiVersion: core.oam.dev/v1beta1
kind: Application
metadata:
name: multi-env-demo-with-service-account
namespace: demo-service
annotations:
app.oam.dev/service-account-name: deployer # the name of the ServiceAccount we created
spec:
components:
- name: nginx-server
type: webservice
properties:
image: nginx:1.21
port: 80
policies:
- name: env
type: env-binding
properties:
created: false
envs:
- name: prod
patch:
components:
- name: nginx-server
type: webservice
properties:
image: nginx:1.20
port: 80
placement:
namespaceSelector:
name: demo-service-prod
workflow:
steps:
- name: deploy-prod-server
type: deploy2env
properties:
policy: env
env: prod
After deploying the Application, you can check the Application is deployed successfully.
NAME COMPONENT TYPE PHASE HEALTHY STATUS AGE
multi-env-demo-with-service-account nginx-server webservice workflowFinished true Ready:1/1 18s
If you set non-authorized ServiceAccount to the annotation, you can find an error message like below in the Application status.
Dispatch: Found 1 errors. [(cannot get object: deployments.apps "nginx-server" is forbidden: User "system:serviceaccount:demo-service:non-authorized-account" cannot get resource "deployments" in API group "apps" in the namespace "demo-service-prod")]
ServiceAccount Integration doesn’t support Multi-Cluster Application Delivery. Even if you set ServiceAccount name to the annotation, KubeVela will ignore it if the scope is a non-local cluster.
You can follow up about this issue on GitHub.
Last updated on 2022年11月1日 by Tianxin Dong