Skip to main content

RBAC

Most rules required to operate your vCluster are automatically generated by enabling resource syncing.

note

When enabled, the following config fields may adjust default rules:

Disable RBAC​

In environments with strict controls where users cannot create service accounts, you may configure vCluster to use a managed service account. An administrator would be responsible for managing the Role, RoleBinding, ClusterRole, ClusterRoleBinding, and ServiceAccount resources. After you create these, update the vcluster.yaml to disable RBAC, and configure the control plane to use the managed ServiceAccount:

controlPlane:
advanced:
serviceAccount:
name: custom-vc-sa
rbac:
role:
enabled: false
clusterRole:
enabled: false

Alternatively, you may disable ClusterRole creation, as many users do not have the required permissions to create ClusterRole resources:

rbac:
clusterRole:
enabled: false

Extra Rules​

Configure extra rules for when the automatically generated rules, plugin rules, and genericSync rules are insufficient. The usage of extraRules should be rare, but this example shows its usage.

rbac:
role:
enabled: true
extraRules:
- apiGroups: [""]
resources: ["pods/status", "pods/ephemeralcontainers"]
verbs: ["patch", "update"]

Overwrite Rules​

For better control use overwriteRules to ignore the automatically created rules. You are responsible for enumerating rules required for vCluster and its plugins to operate. This can be more convenient for managing permissions, as the vCluster Helm chart creates the Role, RoleBinding, and ServiceAccount while giving you complete control over the rules. This example disables cluster role rules and configures specific namespace permissions.

rbac:
role:
enabled: true
overwriteRules:
- apiGroups: [""]
resources: ["pods/status", "pods/ephemeralcontainers"]
verbs: ["patch", "update"]
clusterRole:
enabled: false

Config reference​

rbac required object pro​

RBAC options for the virtual cluster.

role required object pro​

Role holds virtual cluster role configuration

enabled required boolean true pro​

Enabled defines if the role should be enabled or disabled.

extraRules required object[] [] pro​

ExtraRules will add rules to the role.

overwriteRules required object[] [] pro​

OverwriteRules will overwrite the role rules completely.

clusterRole required object pro​

ClusterRole holds virtual cluster cluster role configuration

enabled required string|boolean auto pro​

Enabled defines if the cluster role should be enabled or disabled. If auto, vCluster automatically determines whether the virtual cluster requires a cluster role.

extraRules required object[] [] pro​

ExtraRules will add rules to the cluster role.

overwriteRules required object[] [] pro​

OverwriteRules will overwrite the cluster role rules completely.