Contact Us 1-800-596-4880
  1. Homepage
  2. Runtime Fabric (2.8)
  3. Hardening Runtime Fabric
  4. Securing Runtime Fabric

  5. Configuring Authorized Namespaces

Configuring Authorized Namespaces in Runtime Fabric

Authorized namespaces enable you to deploy Runtime Fabric alongside other services in a Kubernetes cluster. By limiting permissions in your cluster, you can allow Runtime Fabric to access resources only within namespaces assigned to Runtime Fabric.

With authorized namespaces, you have control of the creation of the following Runtime Fabric resources:

  • Namespaces

  • RoleBindings

  • ServiceAccounts

How Authorized Namespaces Work

At install time, you provide a configuration file that consists of your namespaces, ServiceAccounts, ClusterRoles/Roles, and RoleBindings.

Runtime Fabric installs the Runtime Fabric agent (rtf-agent) in the Runtime Fabric namespace, and it has access to any additional namespaces that you provide in the authorized namespace list.

Example

The following is an example of a Runtime Fabric agent ClusterRole that allows the agent to control all cron jobs across all namespaces in a cluster.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: rtf:agent
rules:
- apiGroups:
 - batch
 resources:
 - cronjobs
 verbs:
 - create
 - delete
 - deletecollection
 - get
 - list
 - patch
 - update
 - watch

Runtime Fabric creates the required RoleBinding objects which use the ClusterRole rtf:agent to allow corresponding ServiceAccount to perform various actions (verbs) on cron jobs in two namespaces.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: rtf:agent-1
  namespace: namespace1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: rtf:agent
subjects:
- kind: ServiceAccount
  name: rtf-agent-sa
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: rtf:agent-2
  namespace: namespace2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: rtf:agent
subjects:
- kind: ServiceAccount
  name: rtf-agent-sa
  namespace: default

To use clustered apps in authorized namespaces mode, the following RoleBinding must be created:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: rtf-mule-clusterip-service
  namespace: <app_namespace>
subjects:
- kind: ServiceAccount
  name: mule-clusterip-service
  namespace: <rtf_namespace>
roleRef:
  kind: ClusterRole
  name: rtf:mule-clusterip-service
  apiGroup: rbac.authorization.k8s.io

Configure Authorized Namespaces

You configure authorized namespaces when you install Runtime Fabric. Refer to the appropriate installation instructions:

Add New Namespaces

If you update the authorized-namespaces ConfigMap with a new namespace, you must restart the Runtime Fabric agent deployment using the following command:

kubectl rollout restart deployment/agent