kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rtf:agent
rules:
- apiGroups:
- batch
resources:
- cronjobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
Configuring Authorized Namespaces in Runtime Fabric
Authorized namespaces enable you to deploy Runtime Fabric alongside other services in a Kubernetes cluster. By limiting permissions in your cluster, you can allow Runtime Fabric to access resources only within namespaces assigned to Runtime Fabric.
With authorized namespaces, you have control of the creation of the following Runtime Fabric resources:
-
Namespaces
-
RoleBindings
-
ServiceAccounts
How Authorized Namespaces Work
At install time, you provide a configuration file that consists of your namespaces, ServiceAccounts, ClusterRoles/Roles, and RoleBindings.
Runtime Fabric installs the Runtime Fabric agent (rtf-agent) in the Runtime Fabric namespace, and it has access to any additional namespaces that you provide in the authorized namespace list.
Example
The following is an example of a Runtime Fabric agent ClusterRole that allows the agent to control all cron jobs across all namespaces in a cluster.
Runtime Fabric creates the required RoleBinding objects which use the ClusterRole rtf:agent to allow corresponding ServiceAccount to perform various actions (verbs) on cron jobs in two namespaces.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rtf:agent-1
namespace: namespace1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: rtf:agent
subjects:
- kind: ServiceAccount
name: rtf-agent-sa
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rtf:agent-2
namespace: namespace2
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: rtf:agent
subjects:
- kind: ServiceAccount
name: rtf-agent-sa
namespace: default
To use clustered apps in authorized namespaces mode, the following RoleBinding must be created:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rtf-mule-clusterip-service
namespace: <app_namespace>
subjects:
- kind: ServiceAccount
name: mule-clusterip-service
namespace: <rtf_namespace>
roleRef:
kind: ClusterRole
name: rtf:mule-clusterip-service
apiGroup: rbac.authorization.k8s.io