Cluster-wide RBACs for BIG-IP Next for Kubernetes¶
Implementing minimal RBAC is a recommended best practice in Kubernetes and systems that use role-based permissions. It ensures that users, processes, and services are granted only the permissions necessary to perform their tasks. This approach, known as the principle of least privilege, strengthens security, minimizes risks, and improves maintainability.
By adopting minimum RBAC, we ensure that the Kubernetes cluster remains secure, compliant, and manageable, while reducing risks from both internal and external threats. However, there are a few BIG-IP Next for Kubernetes components listed in this section, that still require cluster-wide access or privilages under certain circumstances as detailed in the justification column.
CNE Controller (f5ingress)¶
| Resource | Privilege | Justification |
|---|---|---|
| nodes | Read only (get, list) |
Cluster-wide access is required to configure static routes for application pods when an in-cluster service is used as the backend. Example: F5BigContextSecure CR configured with an in-cluster service. This access is conditionally included in the cluster role only when the Helm parameter watchNamespace is set to a non-empty value. By default, watchNamespace is empty. If this default is retained, the CNE controller does not require node access and will not include this permission in its default RBAC. |
| customresourcedefinitions (CRDs) | Read only | The CNE controller needs to identify which F5 CRDs are installed in the cluster. The controller uses this list to run watchers only for the relevant CRDs (F5 and Gateway API) deployed on the cluster. This check helps avoid unnecessary error logging and ensures that only the required watchers are executed. To achieve this, the controller performs a list operation on the CRDs. Alternatively, it could query the Kubernetes API server for each CRD individually to verify its installation. However, this approach is resource-intensive due to the large number of CRDs (over 100, some with multiple aliases). |
| namespaces | Read only (get, list, watch) |
The CNF requires the ability to add or remove OVN annotations when a namespace is added or deleted. This functionality is included in the cluster role only if the Helm parameter watchNamespace is set to a non-empty value. The default value for the watchNamespace is empty. If the default value is used, the CNE controller will not require access to namespaces and does not include this functionality in its default RBAC configuration. |
| adminpolicybasedexternalroutes | Read only (get, list, watch) |
Required to update OVN annotations, as the resource itself is cluster-scoped. It will be included in the cluster role only if the Helm parameter watchNamespace is set to a non-empty value. The default value for the watchNamespace is empty. If the default value is used, the CNE controller will not require access to nodes, and this permission will not be included in its default RBAC configuration. |
| validatingwebhookconfigurations | get, update | Cluster-wide privilege is required to update the CA bundle for the webhook, as the resource itself is cluster-scoped. |
CWC¶
| Resource | Privilege | Justification |
|---|---|---|
| nodes | Read only (get, list) |
Cluster-wide access is required to fetch node details, and add those details in the telemetry report. |
| customresourcedefinition | Read only (get, list) |
The CWC needs to retrieve the list of installed F5 CRDs, to include details in the telemetry report, which provides cluster-wide information such as the number of instances of each CRD across namespaces. This data is also used by the qkview API to fetch CRD details. |
| namespace | Read only (get, list) |
Cluster-wide access is required to fetch details from all namespaces required by qkview. |
In environments where the F5 components are deployed across multiple namespaces, set the parameter wholeCluster value to True in values.yaml file. If all the F5 components are installed in a single namespace and there are no watch namespaces, then wholeCluster value can be set to False.
Following table lists the Resources that require cluster-wide access when wholeCluster value is set to rue.
| Resource | Privilege | Justification |
|---|---|---|
| pods | Read Only (get, list) |
Multiple CNE Controllers and Watch namespaces are dynamically added at runtime. Additionally, qkview operations need to collect data from Pods running across multiple namespaces. |
| services | Read Only (get, list) |
Multiple CNE Controllers and Watch namespaces are dynamically added at runtime. Additionally, qkview operations need to collect data from Pods running across multiple namespaces. |
| deployments/daemon set | Read Only (get, list) |
Multiple CNE Controllers and Watch namespaces are dynamically added at runtime. CWC requires this information to identify various TMM deployments and retrieve details about TMM instances and CPU usage details required for telemetry. |
CSRC¶
| Resource | Privilege | Justification |
|---|---|---|
| nodes | Read only (list) |
The CSRC requires the list of nodes in the cluster to determine their CIDR values. |
| ippools | Read only (list) |
The CSRC requires information from all IPPools resources to retrieve their respective CIDRs. |