CNFs RBAC

Overview

The Cloud-Native Network Functions (CNFs) BIG-IP Controller uses the default ServiceAccount to access the cluster API by default. To limit the resources and namespaces that the BIG-IP Controller can manage, the appropriate Kubernetes ServiceAccount and Role-based Access Control (RBAC) objects must be installed. Also, to specifiy which users can perform CNFs Helm installations, additional RBAC objects must be installed.

This document guides you through installing Kubernetes RBAC objects to limit BIG-IP Controller’s cluster API and namespace access.

API access

To grant minimal API access within a specified namespace to both the BIG-IP Controller and the user accounts that manage the BIG-IP Controller, the follwoing objects must be confiured and installed in the cluster:

Object Description
ServiceAccount A Pod-level account that binds the BIG-IP Controller to ClusterRole and Role objects.
ClusterRole Grants minimal access to cluster-level resources, specifically the CNFs Custom Resource Definitions (CRDs).
ClusterRoleBinding Binds the ServiceAccount and user accounts to the ClusterRole.
Role Grants minilam access to resources within the specified namespace.
RoleBinding Binds the ServiceAccount and user accounts to the Role.

Requirements

Ensure you have:

Procedures

Note: The full list of BIG-IP Controller RBAC objects can be downloaded here.

BIG-IP Controller

Use these steps to configure and install the objects that allow minimal API access for the BIG-IP Controller.

  1. Copy the ServiceAccount object into a YAML file, and adapt the metadata.name and metadata.namespace values for your environment:

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: cnf-service-account
      namespace: cnf-gateway
    
  2. Install the ServiceAccount object:

    kubectl apply -f cnf-service-account.yaml
    
  3. Verify the ServiceAccount has been created in the cluster:

    In this example, the ServiceAccount named cnf-service-account has been created.

    kubectl get sa -n cnf-gateway
    
    NAME                   SECRETS 
    default                1      
    cnf-service-account    1     
    
  4. Copy the ClusterRole object for the service account into a YAML file, and adapt the metadata.name parameter for your environment:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: cnf-sa-cluster-role
      # "namespace" omitted since ClusterRoles are not namespaced
    rules:
    - apiGroups:
      - "" # "" indicates the core API group
      resources:
      - namespaces
      - endpoints
      - pods
      - services
      - secrets
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - apiextensions.k8s.io
      resources:
      - customresourcedefinitions
      verbs:
      - get
      - list
      - watch
      - update
    - apiGroups:
      - apps
      - extensions
      resources:
      - ingresses
      verbs:
      - create
      - get
      - list
    - apiGroups:
      - discovery.k8s.io
      resources:
      - endpointslices
      verbs:
      - list
      - watch
    - apiGroups:
      - k8s.f5net.com
      - dos.k8s.f5net.com
      - dns.k8s.f5net.com
      resources:
      - '*'
      verbs:
      - watch
      - get
      - list
    
  5. Install the ClusterRole object:

    kubectl apply -f cnf-sa-cluster-role.yaml
    
  6. Verify the ClusterRole has been created in the cluster:

    kubectl get clusterrole | grep cnf-sa-cluster-role
    

    In this example, the ClusterRole named cnf-sa-cluster-role has been created.

    cnf-sa-cluster-role
    
  7. Copy the RoleBinding object into a YAML file, and adapt the metadata.name, metadata.namespace, subjects.name, and subjects.namespace values for your environment:

    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: cnf-sa-cluster-role-bind
      namespace: cnf-gateway
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cnf-sa-cluster-role
    subjects:
    - kind: ServiceAccount
      name: cnf-service-account
      namespace: cnf-gateway
    
  8. Install the RoleBinding object:

    kubectl apply -f cnf-sa-cluster-role-bind.yaml
    
  9. Verify the RoleBinding has been created in the cluster:

    kubectl get rolebinding -n cnf-gateway | grep  cnf-sa-cluster-role-bind
    

    In this example, the ClusterRoleBinding named cnf-sa-cluster-role-bind has been created, and references the cnf-sa-cluster-role.

    NAME                    ROLE                     
    cnf-sa-cluster-role-bind   ClusterRole/cnf-sa-cluster-role
    
  10. Copy the Role object for the service account into a YAML file, and adapt both the metadata.name and metadata.namespace values for your environment:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: cnf-sa-role
      namespace: cnf-gateway
    rules:
    - apiGroups:
      - "" # "" indicates the core API group
      resources:
      - pods
      - services
      - services/finalizers
      - endpoints
      - persistentvolumeclaims
      - events
      - configmaps
      - secrets
      verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
      - deletecollection
    - apiGroups:
      - apps
      - extensions
      resources:
      - deployments
      - daemonsets
      - replicasets
      - statefulsets
      - ingresses
      verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    - apiGroups:
      - monitoring.coreos.com
      resources:
      - servicemonitors
      verbs:
      - get
      - create
    - apiGroups:
      - metrics.k8s.io
      resources:
      - pods
      - nodes
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - k8s.f5net.com
      - dos.k8s.f5net.com
      - dns.k8s.f5net.com
      resources:
      - '*' # asterisk to grant access to all resources of the specified api groups
      verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    
  11. Install the Role object:

    kubectl apply -f cnf-sa-role.yaml
    
  12. Verify the Role has been created in the cluster:

    kubectl get role -n cnf-gateway | grep cnf-sa-role
    

    In this example, the Role named cnf-sa-role has been created.

    cnf-sa-role
    
  13. Copy the RoleBinding object into a YAML file, and adapt the subjects.name, subjects.namespace, metadata.name, and metadata.namespace values for your environment:

    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: cnf-sa-role-bind
      namespace: cnf-gateway
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: cnf-sa-role
    subjects:
    - kind: ServiceAccount
      name: cnf-service-account
      namespace: cnf-gateway
    
  14. Install the RoleBinding object:

    kubectl apply -f cnf-sa-role-bind.yaml
    
  15. Verify the RoleBinding has been created in the cluster:

    kubectl get rolebinding -n cnf-gateway | grep  cnf-sa-role-bind
    

    In this example, the RoleBinding named cnf-sa-role-bind has been created, and references the cnf-sa-role.

    NAME               ROLE                     
    cnf-sa-role-bind   ClusterRole/cnf-sa-role
    
  16. Prior to installing the BIG-IP Controller, the following rbac.create and controller.serviceAccount Helm parameters must be configured:

    In this example, the serviceAccount value cnf-service-account was configured in step 1 of this procedure.

    rbac:
      create: false
    
    controller:
      create: false
      serviceAccount: cnf-service-account
    

User accounts

Use these steps to configure and install the objects that allow minimal API access for the cluster user accounts.

Note: The full list of user account RBAC objects can be downloaded here.

  1. Copy the ClusterRole object for the user accounts into a YAML file, and adapt the metadata.name parameter for your environment:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: cnf-user-cluster-role
      # "namespace" omitted since ClusterRoles are not namespaced
    rules:
    - apiGroups:
      - "" # "" indicates the core API group
      resources:
      - namespaces
      - endpoints
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - apiextensions.k8s.io
      resources:
      - customresourcedefinitions
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - admissionregistration.k8s.io
      resources:
      - validatingwebhookconfigurations
      verbs:
      - get
      - create
      - delete
    
  2. Install the ClusterRole object:

    kubectl apply -f cnf-user-cluster-role.yaml
    
  3. Verify the ClusterRole has been created in the cluster:

    kubectl get clusterrole | grep cnf-user-cluster-role
    

    In this example, the ClusterRole named cnf-user-cluster-role has been created.

    cnf-user-cluster-role
    
  4. Copy the RoleBinding object into YAML file, and adapt the metadata.name, metadata.namespace, and subjects.name values for your environment:

    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: cnf-user-clusterrole-bind
      namespace: cnf-gateway
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cnf-user-cluster-role
    subjects:
    - apiGroup: rbac.authorization.k8s.io 
      kind: User  
      name: john.williams
    - apiGroup: rbac.authorization.k8s.io 
      kind: User  
      name: mary.jones
    
  5. Verify the RoleBinding has been created in the cluster:

    kubectl get rolebinding -n cnf-gateway | grep  cnf-user-clusterrole-bind
    

    In this example, the RoleBinding named cnf-user-clusterrole-bind has been created, and references the cnf-user-cluster-role.

    cnf-user-clusterrole-bind   ClusterRole/cnf-user-cluster-role 
    
  6. Copy the Role object for the user accounts into a YAML file, and adapt the metadata.name and metadata.namespace parameters for your environment:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: cnf-user-role
      namespace: cnf-gateway
    rules:
    - apiGroups:
      - "" # "" indicates the core API group
      resources:
      - pods
      - pods/log
      - pods/exec
      - pods/status
      - services
      - services/finalizers
      - endpoints
      - persistentvolumeclaims
      - events
      - configmaps
      - secrets
      - resourcequotas
      verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
      - deletecollection
    - apiGroups:
      - apps
      - extensions
      resources:
      - deployments
      - deployments/scale
      - daemonsets
      - replicasets
      - statefulsets
      - ingresses
      verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    - apiGroups:
      - monitoring.coreos.com
      resources:
      - servicemonitors
      verbs:
      - get
      - create
    - apiGroups:
      - metrics.k8s.io
      resources:
      - pods
      - nodes
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - k8s.f5net.com
      - dos.k8s.f5net.com
      - dns.k8s.f5net.com
      resources:
      - '*' # asterisk to grant access to all resources of the specified api groups
      verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    - apiGroups:
      - rbac.authorization.k8s.io
      resources:
      - roles
      - rolebindings
      verbs:
      - get
      - watch
      - list
    - apiGroups:
      - ""
      resources:
      - serviceaccounts
      verbs:
      - impersonate
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    
  7. Install the Role object:

    kubectl apply -f cnf-user-role.yaml
    
  8. Verify the Role has been created in the cluster:

    In this example, the Role named cnf-user-role has been created.

    kubectl get role -n cnf-gateway | grep cnf-user-role
    

    In this example, the Role named cnf-user-role has been created.

    cnf-user-role
    
  9. Copy the RoleBinding into a YAML file, and adapt the metadata.name, and metadata.namespace, and subjects.name parameters for your environment:

    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: cnf-user-role-bind
      namespace: cnf-gateway
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: cnf-user-role
    subjects:
    - apiGroup: rbac.authorization.k8s.io 
      kind: User  
      name: john.williams
    - apiGroup: rbac.authorization.k8s.io 
      kind: User  
      name: mary.jones
    
  10. Install the RoleBinding object:

    kubectl apply -f cnf-user-role-bind.yaml
    
  11. Verify the RoleBinding has been created in the cluster:

    kubectl get rolebinding -n cnf-gatewway | grep  cnf-user-role-bind
    

    In this example, the RoleBinding named cnf-user-role-bind has been created, and references the cnf-user-role.

    NAME                 ROLE                     
    cnf-user-role-bind   Role/cnf-user-role
    
  12. The specified users can now install the BIG-IP Controller using Helm.

Next step

Continue to one of the following guides listed by installation precedence:

  • Required: Install the Fluentd Logging collector to centralize CNF container logging.
  • Optional: Install the dSSM Database to store session-state information.
  • Required: Install the BIG-IP Controller, Edge Firewall and TMM Pods.

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.