CNFs RBAC¶
Overview¶
The Cloud-Native Network Functions (CNFs) BIG-IP Controller uses the default ServiceAccount to access the cluster API by default. To limit the resources and namespaces that the BIG-IP Controller can manage, the appropriate Kubernetes ServiceAccount and Role-based Access Control (RBAC) objects must be installed. Also, to specifiy which users can perform CNFs Helm installations, additional RBAC objects must be installed.
This document guides you through installing Kubernetes RBAC objects to limit BIG-IP Controller’s cluster API and namespace access.
API access¶
To grant minimal API access within a specified namespace to both the BIG-IP Controller and the user accounts that manage the BIG-IP Controller, the follwoing objects must be confiured and installed in the cluster:
Object | Description |
---|---|
ServiceAccount |
A Pod-level account that binds the BIG-IP Controller to ClusterRole and Role objects. |
ClusterRole |
Grants minimal access to cluster-level resources, specifically the CNFs Custom Resource Definitions (CRDs). |
ClusterRoleBinding |
Binds the ServiceAccount and user accounts to the ClusterRole. |
Role |
Grants minilam access to resources within the specified namespace. |
RoleBinding |
Binds the ServiceAccount and user accounts to the Role. |
Procedures¶
Note: The full list of BIG-IP Controller RBAC objects can be downloaded here.
BIG-IP Controller¶
Use these steps to configure and install the objects that allow minimal API access for the BIG-IP Controller.
Copy the
ServiceAccount
object into a YAML file, and adapt themetadata.name
andmetadata.namespace
values for your environment:apiVersion: v1 kind: ServiceAccount metadata: name: cnf-service-account namespace: cnf-gateway
Install the
ServiceAccount
object:kubectl apply -f cnf-service-account.yaml
Verify the
ServiceAccount
has been created in the cluster:In this example, the
ServiceAccount
named cnf-service-account has been created.kubectl get sa -n cnf-gateway
NAME SECRETS default 1 cnf-service-account 1
Copy the
ClusterRole
object for the service account into a YAML file, and adapt themetadata.name
parameter for your environment:apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cnf-sa-cluster-role # "namespace" omitted since ClusterRoles are not namespaced rules: - apiGroups: - "" # "" indicates the core API group resources: - namespaces - endpoints - pods - services - secrets verbs: - get - list - watch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - watch - update - apiGroups: - apps - extensions resources: - ingresses verbs: - create - get - list - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - list - watch - apiGroups: - k8s.f5net.com - dos.k8s.f5net.com - dns.k8s.f5net.com resources: - '*' verbs: - watch - get - list
Install the
ClusterRole
object:kubectl apply -f cnf-sa-cluster-role.yaml
Verify the
ClusterRole
has been created in the cluster:kubectl get clusterrole | grep cnf-sa-cluster-role
In this example, the
ClusterRole
named cnf-sa-cluster-role has been created.cnf-sa-cluster-role
Copy the
RoleBinding
object into a YAML file, and adapt themetadata.name
,metadata.namespace
,subjects.name
, andsubjects.namespace
values for your environment:kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cnf-sa-cluster-role-bind namespace: cnf-gateway roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cnf-sa-cluster-role subjects: - kind: ServiceAccount name: cnf-service-account namespace: cnf-gateway
Install the
RoleBinding
object:kubectl apply -f cnf-sa-cluster-role-bind.yaml
Verify the
RoleBinding
has been created in the cluster:kubectl get rolebinding -n cnf-gateway | grep cnf-sa-cluster-role-bind
In this example, the
ClusterRoleBinding
named cnf-sa-cluster-role-bind has been created, and references the cnf-sa-cluster-role.NAME ROLE cnf-sa-cluster-role-bind ClusterRole/cnf-sa-cluster-role
Copy the
Role
object for the service account into a YAML file, and adapt both themetadata.name
andmetadata.namespace
values for your environment:apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: cnf-sa-role namespace: cnf-gateway rules: - apiGroups: - "" # "" indicates the core API group resources: - pods - services - services/finalizers - endpoints - persistentvolumeclaims - events - configmaps - secrets verbs: - create - delete - get - list - patch - update - watch - deletecollection - apiGroups: - apps - extensions resources: - deployments - daemonsets - replicasets - statefulsets - ingresses verbs: - create - delete - get - list - patch - update - watch - apiGroups: - monitoring.coreos.com resources: - servicemonitors verbs: - get - create - apiGroups: - metrics.k8s.io resources: - pods - nodes verbs: - get - list - watch - apiGroups: - k8s.f5net.com - dos.k8s.f5net.com - dns.k8s.f5net.com resources: - '*' # asterisk to grant access to all resources of the specified api groups verbs: - create - delete - get - list - patch - update - watch
Install the
Role
object:kubectl apply -f cnf-sa-role.yaml
Verify the
Role
has been created in the cluster:kubectl get role -n cnf-gateway | grep cnf-sa-role
In this example, the
Role
named cnf-sa-role has been created.cnf-sa-role
Copy the
RoleBinding
object into a YAML file, and adapt thesubjects.name
,subjects.namespace
,metadata.name
, andmetadata.namespace
values for your environment:kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cnf-sa-role-bind namespace: cnf-gateway roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: cnf-sa-role subjects: - kind: ServiceAccount name: cnf-service-account namespace: cnf-gateway
Install the
RoleBinding
object:kubectl apply -f cnf-sa-role-bind.yaml
Verify the
RoleBinding
has been created in the cluster:kubectl get rolebinding -n cnf-gateway | grep cnf-sa-role-bind
In this example, the
RoleBinding
named cnf-sa-role-bind has been created, and references the cnf-sa-role.NAME ROLE cnf-sa-role-bind ClusterRole/cnf-sa-role
Prior to installing the BIG-IP Controller, the following
rbac.create
andcontroller.serviceAccount
Helm parameters must be configured:In this example, the
serviceAccount
value cnf-service-account was configured in step 1 of this procedure.rbac: create: false controller: create: false serviceAccount: cnf-service-account
User accounts¶
Use these steps to configure and install the objects that allow minimal API access for the cluster user accounts.
Note: The full list of user account RBAC objects can be downloaded here.
Copy the
ClusterRole
object for the user accounts into a YAML file, and adapt themetadata.name
parameter for your environment:apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cnf-user-cluster-role # "namespace" omitted since ClusterRoles are not namespaced rules: - apiGroups: - "" # "" indicates the core API group resources: - namespaces - endpoints verbs: - get - list - watch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - watch - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations verbs: - get - create - delete
Install the
ClusterRole
object:kubectl apply -f cnf-user-cluster-role.yaml
Verify the
ClusterRole
has been created in the cluster:kubectl get clusterrole | grep cnf-user-cluster-role
In this example, the
ClusterRole
named cnf-user-cluster-role has been created.cnf-user-cluster-role
Copy the
RoleBinding
object into YAML file, and adapt themetadata.name
,metadata.namespace
, andsubjects.name
values for your environment:kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cnf-user-clusterrole-bind namespace: cnf-gateway roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cnf-user-cluster-role subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: john.williams - apiGroup: rbac.authorization.k8s.io kind: User name: mary.jones
Verify the
RoleBinding
has been created in the cluster:kubectl get rolebinding -n cnf-gateway | grep cnf-user-clusterrole-bind
In this example, the
RoleBinding
named cnf-user-clusterrole-bind has been created, and references the cnf-user-cluster-role.cnf-user-clusterrole-bind ClusterRole/cnf-user-cluster-role
Copy the
Role
object for the user accounts into a YAML file, and adapt themetadata.name
andmetadata.namespace
parameters for your environment:apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: cnf-user-role namespace: cnf-gateway rules: - apiGroups: - "" # "" indicates the core API group resources: - pods - pods/log - pods/exec - pods/status - services - services/finalizers - endpoints - persistentvolumeclaims - events - configmaps - secrets - resourcequotas verbs: - create - delete - get - list - patch - update - watch - deletecollection - apiGroups: - apps - extensions resources: - deployments - deployments/scale - daemonsets - replicasets - statefulsets - ingresses verbs: - create - delete - get - list - patch - update - watch - apiGroups: - monitoring.coreos.com resources: - servicemonitors verbs: - get - create - apiGroups: - metrics.k8s.io resources: - pods - nodes verbs: - get - list - watch - apiGroups: - k8s.f5net.com - dos.k8s.f5net.com - dns.k8s.f5net.com resources: - '*' # asterisk to grant access to all resources of the specified api groups verbs: - create - delete - get - list - patch - update - watch - apiGroups: - rbac.authorization.k8s.io resources: - roles - rolebindings verbs: - get - watch - list - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - create - delete - get - list - patch - update - watch
Install the
Role
object:kubectl apply -f cnf-user-role.yaml
Verify the
Role
has been created in the cluster:In this example, the
Role
named cnf-user-role has been created.kubectl get role -n cnf-gateway | grep cnf-user-role
In this example, the
Role
named cnf-user-role has been created.cnf-user-role
Copy the
RoleBinding
into a YAML file, and adapt themetadata.name
, andmetadata.namespace
, andsubjects.name
parameters for your environment:kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cnf-user-role-bind namespace: cnf-gateway roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: cnf-user-role subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: john.williams - apiGroup: rbac.authorization.k8s.io kind: User name: mary.jones
Install the
RoleBinding
object:kubectl apply -f cnf-user-role-bind.yaml
Verify the
RoleBinding
has been created in the cluster:kubectl get rolebinding -n cnf-gatewway | grep cnf-user-role-bind
In this example, the
RoleBinding
named cnf-user-role-bind has been created, and references the cnf-user-role.NAME ROLE cnf-user-role-bind Role/cnf-user-role
The specified users can now install the BIG-IP Controller using Helm.
Next step¶
Continue to one of the following guides listed by installation precedence:
- Required: Install the Fluentd Logging collector to centralize CNF container logging.
- Optional: Install the dSSM Database to store session-state information.
- Required: Install the BIG-IP Controller, Edge Firewall and TMM Pods.
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.