βΈοΈ KubeNidra Helm Charts
RBAC Configuration
RBAC Configuration
This document describes the Role-Based Access Control (RBAC) requirements for each KubeNidra component based on the actual helm chart templates. RBAC ensures that each component has the minimum necessary permissions to function properly while maintaining security.
Overview
KubeNidra components require different levels of Kubernetes permissions based on their responsibilities:
- Agent: Needs cluster-wide permissions to monitor and modify specific workload types
- API: Requires cluster-wide permissions for specific workload type management, namespace listing, and secret management
- CLI: Needs cluster-wide permissions for interactive workload operations
- Manager: No direct Kubernetes permissions (UI-only component)
NOTE: KubeNidra components requires permissions for only DaemonSets, Deployments, ReplicaSets and StatefulSets.
Component RBAC Requirements
Agent Component
The agent requires permissions to monitor and modify workloads across the cluster.
ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubenidra-agent-cr
rules:
# Workload monitoring and modification
- apiGroups: ["apps"]
resources: ["daemonsets"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["get", "list", "watch", "update", "patch"]ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubenidra-agent-crb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubenidra-agent-cr
subjects:
- kind: ServiceAccount
name: kubenidra-agent-sa
namespace: kubenidraServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubenidra-agent-sa
namespace: kubenidra
labels:
app.kubernetes.io/name: kubenidra
app.kubernetes.io/component: agentAPI Component
The API component requires permissions to manage workloads, access namespace information, and manage secrets for JWT tokens.
ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubenidra-api-cr
rules:
# Namespace listing for workload discovery
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["list"]
# Secret management for JWT tokens
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "create", "update"]
# Workload management operations
- apiGroups: ["apps"]
resources: ["daemonsets"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["get", "list", "watch", "update", "patch"]ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubenidra-api-crb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubenidra-api-cr
subjects:
- kind: ServiceAccount
name: kubenidra-api-sa
namespace: kubenidraServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubenidra-api-sa
namespace: kubenidra
labels:
app.kubernetes.io/name: kubenidra
app.kubernetes.io/component: apiCLI Component
The CLI component requires permissions for interactive workload operations.
ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubenidra-cli-cr
rules:
# Namespace access for workload discovery
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
# Workload management operations
- apiGroups: ["apps"]
resources: ["daemonsets"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["get", "list", "watch", "update", "patch"]ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubenidra-cli-crb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubenidra-cli-cr
subjects:
- kind: ServiceAccount
name: kubenidra-cli-sa
namespace: kubenidraServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubenidra-cli-sa
namespace: kubenidra
labels:
app.kubernetes.io/name: kubenidra
app.kubernetes.io/component: cliManager Component
The manager component is a UI-only component that doesn't require direct Kubernetes permissions. It communicates with the API component for all operations.
Permission Matrix
| Component | Namespaces | Secrets | Workloads |
|---|---|---|---|
| Agent | - | - | get, list, watch, update, patch |
| API | list | get, create, update | get, list, watch, update, patch |
| CLI | get, list | - | get, list, watch, update, patch |
| Manager | - | - | - |
Note: All workload permissions apply to daemonsets, deployments, replicasets, and statefulsets.
Security Considerations
Principle of Least Privilege
Each component is granted only the permissions necessary for its operation:
- Agent: Workload management permissions for automated operations
- API: Workload management + secret management for JWT tokens + namespace listing
- CLI: Workload management for interactive operations + namespace access
- Manager: No direct permissions (UI-only)
Namespace Isolation
All components run in the kubenidra namespace but have cluster-wide permissions to manage workloads across all namespaces. This design allows:
- Centralized management of workloads
- Consistent hibernation policies across namespaces
- Simplified permission management
Secret Management
Only the API component has access to secrets, specifically for:
- JWT token signing keys
- Authentication credentials
- Configuration secrets
Configuration Options
Enabling/Disabling RBAC
Each component can have RBAC creation enabled or disabled:
agent:
rbac:
create: true # or false
serviceAccount:
create: true # or false
api:
rbac:
create: true # or false
serviceAccount:
create: true # or false
cli:
rbac:
create: true # or false
serviceAccount:
create: true # or falseCustom Annotations
Add custom annotations to service accounts:
agent:
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/kubenidra-agent-role"
api:
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/kubenidra-api-role"
cli:
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/kubenidra-cli-role"Verification
Check RBAC Resources
Verify that RBAC resources are created correctly:
# Check cluster roles
kubectl get clusterrole -l app.kubernetes.io/name=kubenidra
# Check cluster role bindings
kubectl get clusterrolebinding -l app.kubernetes.io/name=kubenidra
# Check service accounts
kubectl get serviceaccount -n kubenidra -l app.kubernetes.io/name=kubenidraTest Permissions
Verify that components have the necessary permissions:
# Test agent permissions
kubectl auth can-i get deployments --as=system:serviceaccount:kubenidra:kubenidra-agent-sa --all-namespaces
# Test API permissions
kubectl auth can-i list namespaces --as=system:serviceaccount:kubenidra:kubenidra-api-sa
# Test CLI permissions
kubectl auth can-i patch deployments --as=system:serviceaccount:kubenidra:kubenidra-cli-sa --all-namespacesAudit Logs
Monitor RBAC-related events:
# Check RBAC events
kubectl get events --field-selector reason=Forbidden -n kubenidra
# Check audit logs (if enabled)
kubectl get events --field-selector reason=Unauthorized -n kubenidraTroubleshooting
Common RBAC Issues
- Permission Denied Errors: Verify service account has required permissions
- Missing Resources: Check if RBAC resources were created
- Namespace Issues: Ensure components can access target namespaces
- Secret Access: Verify API component can manage JWT secrets
Debug Commands
# Check service account details
kubectl describe serviceaccount kubenidra-agent-sa -n kubenidra
# Check cluster role details
kubectl describe clusterrole kubenidra-agent-cr
# Check cluster role binding details
kubectl describe clusterrolebinding kubenidra-agent-crbBest Practices
- Review Permissions: Regularly audit component permissions
- Monitor Access: Track RBAC-related events and errors
- Update Policies: Keep RBAC policies aligned with component requirements
- Document Changes: Maintain clear documentation of permission modifications
- Test Thoroughly: Verify permissions work correctly in all scenarios
- Security Scanning: Use security tools to identify permission issues
- Regular Audits: Conduct periodic RBAC security reviews