Read-Only User RBAC Implementation for Headlamp📜
Bigbang Read-Only RBAC manages the resources for Headlamp in a Kubernetes environment using Helm values. It configures a read-only access for specfic users, group, or service accounts that can be override in the values.
Behavior📜
bigbang.rbac controls the creation of role access when enabled:true
- items in clusterRoles render as ClusterRole objects
- items in clusterRoleBingings render as ClusterRoleBindings`` objects binding roles to subjects.
- Each items supports acreate``` flag
bigbang:
rbac:
enabled: true
clusterRoles:
- name: ""
create: true
The default set of rules can be modified or override in each apiGroups to provide access to more resources through the verbs.
rules:
- apiGroups:
- ""
resources:
- pods
- nodes
- namespaces
verbs:
- get
- list
- watch
| Capability | Status |
|---|---|
| view pods, services, configmaps | Read-Only |
| view deployments, statefulsets | Read-Only |
| view events, namespaces, nodes | Read-Only |
| view metrics.k8s.io | Read-Only |
| view secrets | Denied |
| Edit any resources | Denied |
| Scale deployments/pods | Denied |
| View admin settings | Denied |
- List of
clusterRolecreated will be binded to the defined roleRef
clusterRoleBindings:
- name: ""
roleRef: ""
- Toggle between
ServiceAccountand SSO access through OIDC when eithUserorGroupare defined.
clusterRoleBindings:
- name: ""
roleRef: ""
subjects:
- kind: ServiceAccount
name:
SSO Integration with Keycloak Groups📜
To enable read-only access through SSO, bind the newly defined clusterRole to a Keycloak group.
- Create a Keycloak Group
- Expose Groups in the ID token
- Update clusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: headlamp-read-only
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: headlamp-read-only
subjects:
- kind: Group
name: (Group name)
apiGroup: rbac.authorization.k8s.io
Notes📜
- The RBAC role can be easily extended or narrowed via
values.yaml. - User permissions can be easily narrowed by removing or adding resources and removing or editing the resources verbs in apiGroups of the resources in the ClusterRole templates.