From c70d7450b92364ecef55b8f913262a736c8b2e62 Mon Sep 17 00:00:00 2001 From: Patryk Orwat Date: Mon, 3 Feb 2025 16:24:36 +0100 Subject: [PATCH 1/3] added guide on adding a provider without RBAC manager Signed-off-by: Patryk Orwat --- .../guides/working-without-rbac-manager.md | 182 ++++++++++++++++++ 1 file changed, 182 insertions(+) create mode 100644 content/master/guides/working-without-rbac-manager.md diff --git a/content/master/guides/working-without-rbac-manager.md b/content/master/guides/working-without-rbac-manager.md new file mode 100644 index 000000000..fa36283db --- /dev/null +++ b/content/master/guides/working-without-rbac-manager.md @@ -0,0 +1,182 @@ +--- +title: Working without RBAC Manager +weight: 280 +--- + +RBAC Manager is responsible for granting appropriate permissions to components. + +In cases, where administrators are not allowing permissive cluster wide-permissions, you can turn off RBAC Manager with argument `--set rbacManager.deploy=false` in [helm chart](https://github.com/crossplane/crossplane/blob/main/cluster/charts/crossplane/README.md#configuration). +```yaml {label="value",copy-lines="none"} +rbacManager: + enabled: false +``` + +Once done, you need to configure custom permissions for each provider and custom resource definition. Below guides will instruct you step by step the additional work needed for each provider and XRD. + +## Provider RBAC + +> Note: Please keep in mind this guide doesn't show manual steps for installing providers. If you want to control Crossplane Core pod permissions even further, you can manually install the provider service. + +For the prpose of this guide, let's assume you want to deploy a `provider-kubernetes` to the cluster and control its permissions. You create a resource provider as usual +```yaml +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: provider-kubernetes +spec: + package: xpkg.upbound.io/crossplane-contrib/provider-kubernetes:v0.15.1 +``` +Once installed, save provider service account name +```sh +SA=$(kubectl -n crossplane-system get sa -o name | grep provider-kubernetes | sed -e 's|serviceaccount\/||g') +``` + +### ClusterRole for provider + +Then, create a ClusterRole, that will have necessary rules for resources that are to be managed by a provider: +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: provider-kubernetes-aggregate +rules: +- apiGroups: + - kubernetes.crossplane.io + resources: + - objects + - objects/status + - observedobjectcollections + - observedobjectcollections/status + - providerconfigs + - providerconfigs/status + - providerconfigusages + - providerconfigusages/status + verbs: + - get + - list + - watch + - update + - patch + - create +- apiGroups: + - kubernetes.crossplane.io + resources: + - '*/finalizers' + verbs: + - update +- apiGroups: + - "" + - coordination.k8s.io + resources: + - secrets + - configmaps + - events + - leases + verbs: + - '*' +``` + +With the role, now create a binding to the service account: +> Note: make sure that the `SA` environment variable that was defined earlier is still set correctly. +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: provider-kubernetes-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: provider-kubernetes-aggregate +subjects: +- kind: ServiceAccount + name: ${SA} + namespace: crossplane-system +``` + +### ClusterRole for core Crossplane + +Now, create a new ClusterRole, for core Crossplane service +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: provider-kubernetes-aggregate +rules: +- apiGroups: + - kubernetes.crossplane.io + resources: + - objects + - objects/status + - observedobjectcollections + - observedobjectcollections/status + - providerconfigs + - providerconfigs/status + - providerconfigusages + - providerconfigusages/status + verbs: + - '*' +``` + +With the cluster role in place, create a binding to the core Crossplane service: +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: crossplane-provider-kubernetes-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: crossplane-aggregate-provider-access +subjects: +- kind: ServiceAccount + name: crossplane + namespace: crossplane-system +``` + +### Verification +With the previous steps applied, you can now verify the configuration by adding a provider config: +```yaml +apiVersion: kubernetes.crossplane.io/v1alpha1 +kind: ProviderConfig +metadata: + name: kubernetes-provider-config +spec: + credentials: + source: InjectedIdentity +``` +And add a binding, so that it's possible to manage local cluster by a provider: +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: provider-kubernetes-admin-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: ${SA} + namespace: crossplane-system +``` + +With the configuration in place, you can add a test resource: +```yaml +apiVersion: kubernetes.crossplane.io/v1alpha2 +kind: Object +metadata: + name: test-namespace +spec: + forProvider: + manifest: + apiVersion: v1 + kind: Namespace + metadata: + name: test-namespace + labels: + example: 'true' + providerConfigRef: + name: kubernetes-provider-config +``` + +## Compositions From a0308fb2cd6b7a16ffadc2943b5803cda7e0c374 Mon Sep 17 00:00:00 2001 From: Patryk Orwat Date: Tue, 4 Feb 2025 11:08:24 +0100 Subject: [PATCH 2/3] added XRD configuration without RBAC Manager Signed-off-by: Patryk Orwat --- .../guides/working-without-rbac-manager.md | 138 +++++++++++++++++- 1 file changed, 135 insertions(+), 3 deletions(-) diff --git a/content/master/guides/working-without-rbac-manager.md b/content/master/guides/working-without-rbac-manager.md index fa36283db..ad12df399 100644 --- a/content/master/guides/working-without-rbac-manager.md +++ b/content/master/guides/working-without-rbac-manager.md @@ -5,19 +5,22 @@ weight: 280 RBAC Manager is responsible for granting appropriate permissions to components. -In cases, where administrators are not allowing permissive cluster wide-permissions, you can turn off RBAC Manager with argument `--set rbacManager.deploy=false` in [helm chart](https://github.com/crossplane/crossplane/blob/main/cluster/charts/crossplane/README.md#configuration). +In cases, where administrators are not allowing permissive cluster wide-permissions,you can turn off RBAC Manager +with argument `--set rbacManager.deploy=false` in [helm chart](https://github.com/crossplane/crossplane/blob/main/cluster/charts/crossplane/README.md#configuration). ```yaml {label="value",copy-lines="none"} rbacManager: enabled: false ``` -Once done, you need to configure custom permissions for each provider and custom resource definition. Below guides will instruct you step by step the additional work needed for each provider and XRD. +Once done, you need to configure custom permissions for each provider and custom resource definition. Below guides +will instruct you step by step the additional work needed for each provider and XRD. ## Provider RBAC > Note: Please keep in mind this guide doesn't show manual steps for installing providers. If you want to control Crossplane Core pod permissions even further, you can manually install the provider service. -For the prpose of this guide, let's assume you want to deploy a `provider-kubernetes` to the cluster and control its permissions. You create a resource provider as usual +For the prpose of this guide, let's assume you want to deploy a `provider-kubernetes` to the cluster and control its +permissions. You create a resource provider as usual ```yaml apiVersion: pkg.crossplane.io/v1 kind: Provider @@ -180,3 +183,132 @@ spec: ``` ## Compositions +If you want to add a CompositionResourceDefinition in a system without RBAC Manager, you need to create the +necessary XRD definition as well as assign permissions to the defined type to Core Crossplane ServiceAccount. + +For the purpose of the example, let's create a sample XRD: +```yaml +apiVersion: apiextensions.crossplane.io/v1 +kind: CompositeResourceDefinition +metadata: + name: compositenamespaces.k8s.crossplane.io +spec: + group: k8s.crossplane.io + names: + kind: CompositeNamespace + plural: compositenamespaces + claimNames: + kind: NamespaceClaim + plural: namespaceclaims + versions: + - name: v1alpha1 + served: true + referenceable: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + name: + type: string + description: "The name of the Kubernetes namespace to be created." + status: + type: object + properties: + ready: + type: boolean + description: "Indicates if the namespace is ready." +``` + +After that, create a ClusterRole: +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: compositenamespace:aggregate-to-crossplane +rules: +- apiGroups: + - k8s.crossplane.io + resources: + - compositenamespaces + - compositenamespaces/status + verbs: + - '*' +- apiGroups: + - k8s.crossplane.io + resources: + - compositenamespaces/finalizers + verbs: + - update +- apiGroups: + - k8s.crossplane.io + resources: + - namespaceclaims + - namespaceclaims/status + verbs: + - '*' +- apiGroups: + - k8s.crossplane.io + resources: + - namespaceclaims/finalizers + verbs: + - update +``` + +If the ServiceAccount for your Core Crossplane service is default `crossplane`, apply below binding: +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: crossplane-provider-kubernetes-binding-CRD +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: compositenamespace:aggregate-to-crossplane +subjects: +- kind: ServiceAccount + name: crossplane + namespace: crossplane-system +``` + +### Verification + +Once proper permissions are applied, you can create a composition: +```yaml +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: compositenamespace.k8s.crossplane.io +spec: + compositeTypeRef: + apiVersion: k8s.crossplane.io/v1alpha1 + kind: CompositeNamespace + resources: + - name: namespace + base: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + spec: + providerConfigRef: + name: kubernetes-provider-config + forProvider: + manifest: + apiVersion: v1 + kind: Namespace + patches: + - fromFieldPath: "spec.name" + toFieldPath: "metadata.name" + type: FromCompositeFieldPath +``` + +Followed by a Claim creation +```yaml +apiVersion: k8s.crossplane.io/v1alpha1 +kind: NamespaceClaim +metadata: + name: example-namespace-claim +spec: + name: testing-no-rbac +``` From 4949af2ec091f79efcb47d6bd88168ee8032aeaa Mon Sep 17 00:00:00 2001 From: Patryk Orwat Date: Tue, 4 Feb 2025 15:56:02 +0100 Subject: [PATCH 3/3] refs to other pages, improved XRD section and guide org Signed-off-by: Patryk Orwat --- content/master/concepts/pods.md | 4 +-- .../guides/working-without-rbac-manager.md | 28 +++++++++++++------ content/master/software/install.md | 5 ++-- 3 files changed, 24 insertions(+), 13 deletions(-) diff --git a/content/master/concepts/pods.md b/content/master/concepts/pods.md index f6ed4cd0a..f3d7e2e12 100644 --- a/content/master/concepts/pods.md +++ b/content/master/concepts/pods.md @@ -221,8 +221,8 @@ file, setting `rbacManager.deploy` to `false`. {{< hint "note" >}} -Instructions for changing Crossplane pod settings during installation are in the -[Crossplane Install]({{}}) section. +You can follow a guide [Working without RBAC Manager]({{}}) +to understand additional steps necessary when working with this configuration in place. {{< /hint >}} diff --git a/content/master/guides/working-without-rbac-manager.md b/content/master/guides/working-without-rbac-manager.md index ad12df399..b9b9a5f05 100644 --- a/content/master/guides/working-without-rbac-manager.md +++ b/content/master/guides/working-without-rbac-manager.md @@ -3,21 +3,30 @@ title: Working without RBAC Manager weight: 280 --- -RBAC Manager is responsible for granting appropriate permissions to components. +RBAC Manager is responsible for establishing appropriate roles structure to components. In cases, where administrators are not allowing permissive cluster wide-permissions,you can turn off RBAC Manager -with argument `--set rbacManager.deploy=false` in [helm chart](https://github.com/crossplane/crossplane/blob/main/cluster/charts/crossplane/README.md#configuration). +with argument `--set rbacManager.deploy=false` in [helm chart](https://github.com/crossplane/crossplane/blob/main/cluster/charts/crossplane/README.md#configuration) during installation. ```yaml {label="value",copy-lines="none"} rbacManager: enabled: false ``` -Once done, you need to configure custom permissions for each provider and custom resource definition. Below guides -will instruct you step by step the additional work needed for each provider and XRD. +Once done, you need to configure Roles on your own for each provider and Composition Resource Definitions (XRDs). +Below guides will instruct you step by step the additional work needed for each provider and XRD to be able to +successfully deploy a provider and an XRD. + +The guide only establishes minimal number of resources to fulfill the guide's goal, RBAC Manager creates more resources +and if you want to read more, the +[Crossplane RBAC Manager design document](https://github.com/crossplane/crossplane/blob/main/design/design-doc-rbac-manager.md) +has more information on the installed _ClusterRoles_. + +> Note: The guide doesn't address any cluster-wide permissions that are used in Core Crossplane service. ## Provider RBAC -> Note: Please keep in mind this guide doesn't show manual steps for installing providers. If you want to control Crossplane Core pod permissions even further, you can manually install the provider service. +> Note: Please keep in mind this guide doesn't show manual steps for installing providers. If you want to control +> Crossplane Core pod permissions even further, you can manually install the provider service. For the prpose of this guide, let's assume you want to deploy a `provider-kubernetes` to the cluster and control its permissions. You create a resource provider as usual @@ -34,7 +43,7 @@ Once installed, save provider service account name SA=$(kubectl -n crossplane-system get sa -o name | grep provider-kubernetes | sed -e 's|serviceaccount\/||g') ``` -### ClusterRole for provider +### Provider ClusterRole Then, create a ClusterRole, that will have necessary rules for resources that are to be managed by a provider: ```yaml @@ -96,7 +105,7 @@ subjects: namespace: crossplane-system ``` -### ClusterRole for core Crossplane +### Core Crossplane ClusterRole Now, create a new ClusterRole, for core Crossplane service ```yaml @@ -182,10 +191,11 @@ spec: name: kubernetes-provider-config ``` -## Compositions +## Composition Resource Definitions RBAC If you want to add a CompositionResourceDefinition in a system without RBAC Manager, you need to create the necessary XRD definition as well as assign permissions to the defined type to Core Crossplane ServiceAccount. +### XRD ClusterRole For the purpose of the example, let's create a sample XRD: ```yaml apiVersion: apiextensions.crossplane.io/v1 @@ -228,6 +238,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: compositenamespace:aggregate-to-crossplane + labels: + rbac.crossplane.io/aggregate-to-crossplane: "true" rules: - apiGroups: - k8s.crossplane.io diff --git a/content/master/software/install.md b/content/master/software/install.md index 219f5c106..323b4093e 100644 --- a/content/master/software/install.md +++ b/content/master/software/install.md @@ -100,9 +100,8 @@ Crossplane _Composite Resource Definitions_, _Compositions_ and _Claims_. The `crossplane-rbac-manager` creates and manages Kubernetes _ClusterRoles_ for installed Crossplane _Provider_ and their _Custom Resource Definitions_. -The -[Crossplane RBAC Manager design document](https://github.com/crossplane/crossplane/blob/main/design/design-doc-rbac-manager.md) -has more information on the installed _ClusterRoles_. +You can follow a guide [Working without RBAC Manager]({{}}) +to understand additional steps necessary when opting out of RBAC Manager. ## Installation options