CNFs RBAC¶

Overview¶

The Cloud-Native Network Functions (CNFs) BIG-IP Controller uses the default ServiceAccount to access the cluster API by default. To limit the resources and namespaces that the BIG-IP Controller can manage, the appropriate Kubernetes ServiceAccount and Role-based Access Control (RBAC) objects must be installed. Also, to specifiy which users can perform CNFs Helm installations, additional RBAC objects must be installed.

This document guides you through installing Kubernetes RBAC objects to limit BIG-IP Controller’s cluster API and namespace access.

API access¶

To grant minimal API access within a specified namespace to both the BIG-IP Controller and the user accounts that manage the BIG-IP Controller, the follwoing objects must be confiured and installed in the cluster:

Object	Description
`ServiceAccount`	A Pod-level account that binds the BIG-IP Controller to ClusterRole and Role objects.
`ClusterRole`	Grants minimal access to cluster-level resources, specifically the CNFs Custom Resource Definitions (CRDs).
`ClusterRoleBinding`	Binds the ServiceAccount and user accounts to the ClusterRole.
`Role`	Grants minilam access to resources within the specified namespace.
`RoleBinding`	Binds the ServiceAccount and user accounts to the Role.

Requirements¶

Ensure you have:

A working Robin cluster.
Installed the CNFs Software.

Procedures¶

Note: The full list of BIG-IP Controller RBAC objects can be downloaded here.

BIG-IP Controller¶

Use these steps to configure and install the objects that allow minimal API access for the BIG-IP Controller.

Copy the ServiceAccount object into a YAML file, and adapt the metadata.name and metadata.namespace values for your environment:
```
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cnf-service-account
  namespace: cnf-gateway
```

Install the ServiceAccount object:

kubectl apply -f cnf-service-account.yaml

Verify the ServiceAccount has been created in the cluster:

In this example, the ServiceAccount named cnf-service-account has been created.

kubectl get sa -n cnf-gateway

NAME                   SECRETS 
default                1      
cnf-service-account    1     

Copy the ClusterRole object for the service account into a YAML file, and adapt the metadata.name parameter for your environment:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cnf-sa-cluster-role
  # "namespace" omitted since ClusterRoles are not namespaced
rules:
- apiGroups:
  - "" # "" indicates the core API group
  resources:
  - namespaces
  - endpoints
  - pods
  - services
  - secrets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  - extensions
  resources:
  - ingresses
  verbs:
  - create
  - get
  - list
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - list
  - watch
- apiGroups:
  - k8s.f5net.com
  - dos.k8s.f5net.com
  - dns.k8s.f5net.com
  resources:
  - '*'
  verbs:
  - watch
  - get
  - list

Install the ClusterRole object:

kubectl apply -f cnf-sa-cluster-role.yaml

Verify the ClusterRole has been created in the cluster:
```
kubectl get clusterrole | grep cnf-sa-cluster-role
```
In this example, the ClusterRole named cnf-sa-cluster-role has been created.
```
cnf-sa-cluster-role
```

Copy the RoleBinding object into a YAML file, and adapt the metadata.name, metadata.namespace, subjects.name, and subjects.namespace values for your environment:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cnf-sa-cluster-role-bind
  namespace: cnf-gateway
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cnf-sa-cluster-role
subjects:
- kind: ServiceAccount
  name: cnf-service-account
  namespace: cnf-gateway

Install the RoleBinding object:

kubectl apply -f cnf-sa-cluster-role-bind.yaml

Verify the RoleBinding has been created in the cluster:

kubectl get rolebinding -n cnf-gateway | grep  cnf-sa-cluster-role-bind

In this example, the ClusterRoleBinding named cnf-sa-cluster-role-bind has been created, and references the cnf-sa-cluster-role.

NAME                    ROLE                     
cnf-sa-cluster-role-bind   ClusterRole/cnf-sa-cluster-role

Copy the Role object for the service account into a YAML file, and adapt both the metadata.name and metadata.namespace values for your environment:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cnf-sa-role
  namespace: cnf-gateway
rules:
- apiGroups:
  - "" # "" indicates the core API group
  resources:
  - pods
  - services
  - services/finalizers
  - endpoints
  - persistentvolumeclaims
  - events
  - configmaps
  - secrets
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
  - deletecollection
- apiGroups:
  - apps
  - extensions
  resources:
  - deployments
  - daemonsets
  - replicasets
  - statefulsets
  - ingresses
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - monitoring.coreos.com
  resources:
  - servicemonitors
  verbs:
  - get
  - create
- apiGroups:
  - metrics.k8s.io
  resources:
  - pods
  - nodes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - k8s.f5net.com
  - dos.k8s.f5net.com
  - dns.k8s.f5net.com
  resources:
  - '*' # asterisk to grant access to all resources of the specified api groups
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch

Install the Role object:
```
kubectl apply -f cnf-sa-role.yaml
```
Verify the Role has been created in the cluster:
```
kubectl get role -n cnf-gateway | grep cnf-sa-role
```
In this example, the Role named cnf-sa-role has been created.
```
cnf-sa-role
```

Copy the RoleBinding object into a YAML file, and adapt the subjects.name, subjects.namespace, metadata.name, and metadata.namespace values for your environment:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cnf-sa-role-bind
  namespace: cnf-gateway
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cnf-sa-role
subjects:
- kind: ServiceAccount
  name: cnf-service-account
  namespace: cnf-gateway

Install the RoleBinding object:
```
kubectl apply -f cnf-sa-role-bind.yaml
```

Verify the RoleBinding has been created in the cluster:

kubectl get rolebinding -n cnf-gateway | grep  cnf-sa-role-bind

In this example, the RoleBinding named cnf-sa-role-bind has been created, and references the cnf-sa-role.

NAME               ROLE                     
cnf-sa-role-bind   ClusterRole/cnf-sa-role

Prior to installing the BIG-IP Controller, the following rbac.create and controller.serviceAccount Helm parameters must be configured:

In this example, the serviceAccount value cnf-service-account was configured in step 1 of this procedure.
```
rbac:
  create: false

controller:
  create: false
  serviceAccount: cnf-service-account
```

User accounts¶

Use these steps to configure and install the objects that allow minimal API access for the cluster user accounts.

Note: The full list of user account RBAC objects can be downloaded here.

Copy the ClusterRole object for the user accounts into a YAML file, and adapt the metadata.name parameter for your environment:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cnf-user-cluster-role
  # "namespace" omitted since ClusterRoles are not namespaced
rules:
- apiGroups:
  - "" # "" indicates the core API group
  resources:
  - namespaces
  - endpoints
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  verbs:
  - get
  - create
  - delete

Install the ClusterRole object:

kubectl apply -f cnf-user-cluster-role.yaml

Verify the ClusterRole has been created in the cluster:
```
kubectl get clusterrole | grep cnf-user-cluster-role
```
In this example, the ClusterRole named cnf-user-cluster-role has been created.
```
cnf-user-cluster-role
```

Copy the RoleBinding object into YAML file, and adapt the metadata.name, metadata.namespace, and subjects.name values for your environment:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cnf-user-clusterrole-bind
  namespace: cnf-gateway
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cnf-user-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io 
  kind: User  
  name: john.williams
- apiGroup: rbac.authorization.k8s.io 
  kind: User  
  name: mary.jones

Verify the RoleBinding has been created in the cluster:
```
kubectl get rolebinding -n cnf-gateway | grep  cnf-user-clusterrole-bind
```
In this example, the RoleBinding named cnf-user-clusterrole-bind has been created, and references the cnf-user-cluster-role.
```
cnf-user-clusterrole-bind   ClusterRole/cnf-user-cluster-role 
```

Copy the Role object for the user accounts into a YAML file, and adapt the metadata.name and metadata.namespace parameters for your environment:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cnf-user-role
  namespace: cnf-gateway
rules:
- apiGroups:
  - "" # "" indicates the core API group
  resources:
  - pods
  - pods/log
  - pods/exec
  - pods/status
  - services
  - services/finalizers
  - endpoints
  - persistentvolumeclaims
  - events
  - configmaps
  - secrets
  - resourcequotas
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
  - deletecollection
- apiGroups:
  - apps
  - extensions
  resources:
  - deployments
  - deployments/scale
  - daemonsets
  - replicasets
  - statefulsets
  - ingresses
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - monitoring.coreos.com
  resources:
  - servicemonitors
  verbs:
  - get
  - create
- apiGroups:
  - metrics.k8s.io
  resources:
  - pods
  - nodes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - k8s.f5net.com
  - dos.k8s.f5net.com
  - dns.k8s.f5net.com
  resources:
  - '*' # asterisk to grant access to all resources of the specified api groups
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - roles
  - rolebindings
  verbs:
  - get
  - watch
  - list
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch

Install the Role object:
```
kubectl apply -f cnf-user-role.yaml
```
Verify the Role has been created in the cluster:

In this example, the Role named cnf-user-role has been created.
```
kubectl get role -n cnf-gateway | grep cnf-user-role
```
In this example, the Role named cnf-user-role has been created.
```
cnf-user-role
```

Copy the RoleBinding into a YAML file, and adapt the metadata.name, and metadata.namespace, and subjects.name parameters for your environment:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cnf-user-role-bind
  namespace: cnf-gateway
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cnf-user-role
subjects:
- apiGroup: rbac.authorization.k8s.io 
  kind: User  
  name: john.williams
- apiGroup: rbac.authorization.k8s.io 
  kind: User  
  name: mary.jones

Install the RoleBinding object:

kubectl apply -f cnf-user-role-bind.yaml

Verify the RoleBinding has been created in the cluster:

kubectl get rolebinding -n cnf-gatewway | grep  cnf-user-role-bind

In this example, the RoleBinding named cnf-user-role-bind has been created, and references the cnf-user-role.

NAME                 ROLE                     
cnf-user-role-bind   Role/cnf-user-role

The specified users can now install the BIG-IP Controller using Helm.

Next step¶

Continue to one of the following guides listed by installation precedence:

Required: Install the Fluentd Logging collector to centralize CNF container logging.
Optional: Install the dSSM Database to store session-state information.
Required: Install the BIG-IP Controller, Edge Firewall and TMM Pods.

Feedback¶

Provide feedback to improve this document by emailing cnfdocs@f5.com.

Supplemental Information¶

Previous Next