CNFs RBAC

Overview

The Cloud-Native Network Functions (CNFs) BIG-IP Controller uses the default ServiceAccount to access the cluster API by default. To limit the resources and namespaces that the BIG-IP Controller can manage, the appropriate Kubernetes ServiceAccount and Role-based Access Control (RBAC) objects must be installed. Also, to specifiy which users can perform CNFs Helm installations, additional RBAC objects must be installed.

This document guides you through installing Kubernetes RBAC objects to limit BIG-IP Controller’s cluster API and namespace access.

API access

To grant minimal API access within a specified namespace to both the BIG-IP Controller and the user accounts that manage the BIG-IP Controller, the follwoing objects must be confiured and installed in the cluster:

Object	Description
ServiceAccount	A Pod-level account that binds the BIG-IP Controller to ClusterRole and Role objects.
ClusterRole	Grants minimal access to cluster-level resources, specifically the CNFs Custom Resource Definitions (CRDs).
ClusterRoleBinding	Binds the ServiceAccount and user accounts to the ClusterRole.
Role	Grants minilam access to resources within the specified namespace.
RoleBinding	Binds the ServiceAccount and user accounts to the Role.

Requirements

Ensure you have:

• A working Robin cluster.

• Installed the CNFs Software.

Procedures

Note: The full list of BIG-IP Controller RBAC objects can be downloaded here.

BIG-IP Controller

Create a serviceAccount

The serviceAccount required for installing the BIG-IP Controller can be created either manually or automatically. However, it is recommended to use only one of these methods (Create a serviceAccount manually or Create a serviceAccount using Helm). Ensure the serviceAccount is created prior to starting the BIG-IP Controller installation process.

Note: Use only one of the Create a serviceAccount manually and Create a serviceAccount using Helm processes to create a serviceAccount.

Create a serviceAccount and RBAC using Helm

You can create the serviceAccount required for the BIG-IP Controller automatically during installation by using Helm. This simplifies the process and ensures the serviceAccount is properly configured.

• Enable the following parameters in the values.yaml file in BIG-IP controller (f5ingress).

  rbac:
    create: true
  
  controller:
    serviceAccount:
      name: cnf-service-account
  

Create a serviceAccount manually

Following are the steps to configure and install the objects that allow minimal API access for the BIG-IP Controller.

1. Copy the ServiceAccount object into a YAML file, and adapt the metadata.name and metadata.namespace values for your environment:

   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: cnf-service-account
     namespace: cnf-gateway
   

2. Install the ServiceAccount object:

   kubectl apply -f cnf-service-account.yaml
   

3. Verify the ServiceAccount has been created in the cluster:

   In this example, the ServiceAccount named cnf-service-account has been created.

   kubectl get sa -n cnf-gateway
   

   NAME                   SECRETS 
   default                1      
   cnf-service-account    1     
   

4. Add the serviceAccount to the Project’s privileged security context constraint (SCC):

   kubectl policy add-scc-to-user privileged -n <project> -z <serviceaccount>
   

   In this example, the cnf-service-account serviceAccount is added to the cnf-gateway Project’s privileged SCC:

   kubectl policy add-scc-to-user privileged -n cnf-gateway -z cnf-service-account
   

5. Copy the ClusterRole object for the service account into a YAML file, and adapt the metadata.name parameter for your environment:

   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
     name: cnf-sa-cluster-role
     # "namespace" omitted since ClusterRoles are not namespaced
   rules:
   - apiGroups:
    - "" # "" indicates the core API group
    resources:
    - namespaces
    - pods
    - services
    - endpoints
    - nodes
    verbs:
    - get
    - list
    - watch
   - apiGroups:
    - ""
    resources:
    - pods/status
    verbs:
    - get
    - update
    - patch
   - apiGroups:
    - admissionregistration.k8s.io
    resources:
    - validatingwebhookconfigurations
    verbs:
    - get
    - update
   - apiGroups:
    - apiextensions.k8s.io
    resources:
    - customresourcedefinitions
    verbs:
    - get
    - list
    - watch
   - apiGroups:
    - apiextensions.k8s.io
    resourceNames:
    - f5-big-ips-policies.k8s.f5net.com
    - f5-big-pe-policies.k8s.f5net.com
    resources:
    - customresourcedefinitions
    verbs:
    - get
    - list
    - watch
    - update
   - apiGroups:
    - discovery.k8s.io
    resources:
    - endpointslices
    verbs:
    - list
    - watch
    - get
   - apiGroups:
    - ingresstcp.k8s.f5net.com
    - ingressudp.k8s.f5net.com
    - k8s.f5net.com
    - dos.k8s.f5net.com
    - dns.k8s.f5net.com
    - gateway.networking.k8s.io
    - gateway.k8s.f5net.com
    - fic.f5.com
    resources:
    - '*'
    verbs:
    - watch
    - get
    - list
    - create
    - update
    - delete
    - patch
   - apiGroups:
    - k8s.ovn.org
    resources:
    - adminpolicybasedexternalroutes
    verbs:
    - get
    - list
    - watch
   - apiGroups:
    - ""
    resources:
    - events
    verbs:
    - create
   

6. Install the ClusterRole object:

   kubectl apply -f cnf-sa-cluster-role.yaml
   

7. Verify the ClusterRole has been created in the cluster:

   kubectl get clusterrole | grep cnf-sa-cluster-role
   

   In this example, the ClusterRole named cnf-sa-cluster-role has been created.

   cnf-sa-cluster-role
   

8. Copy the ClusterRoleBinding object into a YAML file, and adapt the metadata.name, metadata.namespace, subjects.name, and subjects.namespace values for your environment:

   kind: ClusterRoleBinding
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     name: cnf-sa-cluster-role-bind
     namespace: cnf-gateway
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: cnf-sa-cluster-role
   subjects:
   - kind: ServiceAccount
     name: cnf-service-account
     namespace: cnf-gateway
   

9. Install the ClusterRoleBinding object:

   kubectl apply -f cnf-sa-cluster-role-bind.yaml
   

10. Verify the ClusterRoleBinding has been created in the cluster:

    kubectl get clusterrolebinding -n cnf-gateway | grep  cnf-sa-cluster-role-bind
    

    In this example, the ClusterRoleBinding named cnf-sa-cluster-role-bind has been created, and references the cnf-sa-cluster-role.

    NAME                    ROLE                     
    cnf-sa-cluster-role-bind   ClusterRole/cnf-sa-cluster-role
    

11. Copy the Role object for the service account into a YAML file, and adapt both the metadata.name and metadata.namespace values for your environment:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: cnf-sa-role
      namespace: cnf-gateway
    rules:
    - apiGroups:
      resources:
      - deployments
      - deployments/scale
      - pods/log
      - pods/exec
      - pods/status
      - services/finalizers
      - resourcequotas
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - metrics.k8s.io
      resources:
      - pods
      - nodes
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      resources:
      - events
      - services
      - pods
      verbs:
      - create
      - update
      - delete
      - patch
    - apiGroups:
      resources:
      - configmaps
      verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
      - patch
      - deletecollection
    - apiGroups:
      - apps
      - extensions
      resources:
      - deployments
      - deployments/scale
      - daemonsets
      - replicasets
      - statefulsets
      - ingresses
      verbs:
      - get
      - list
      - watch
      - create
      - delete
      - update
      - patch