RBAC
Most rules required to operate your vCluster are automatically generated by enabling resource syncing.
When enabled, the following config fields may adjust default rules:
- controlPlane.advanced.virtualScheduler: adds required read permissions for the virtual scheduler
- networking.replicateServices.fromHost: adds required permissions to manage endpoints and services
- integrations.metrics.proxy.nodes: adds required read permissions for node resources
- plugins: adds
roles
andclusterRoles
defined by each plugin - experimental.multiNamespaceMode: adds required permissions for vCluster to manage namespaces and service accounts
- experimental.genericSync: adds
extraRules
defined by generic sync
Disable RBAC​
In environments with strict controls where users cannot create service accounts, you may configure vCluster to use a managed service account. An administrator would be responsible for managing the Role, RoleBinding, ClusterRole, ClusterRoleBinding, and ServiceAccount resources. After you create these, update the vcluster.yaml
to disable RBAC, and configure the control plane to use the managed ServiceAccount:
controlPlane:
advanced:
serviceAccount:
name: custom-vc-sa
rbac:
role:
enabled: false
clusterRole:
enabled: false
Alternatively, you may disable ClusterRole
creation, as many users do not have the required permissions to create ClusterRole
resources:
rbac:
clusterRole:
enabled: false
Extra Rules​
Configure extra rules for when the automatically generated rules, plugin rules, and genericSync rules are insufficient. The usage of extraRules
should be rare, but this example shows its usage.
rbac:
role:
enabled: true
extraRules:
- apiGroups: [""]
resources: ["pods/status", "pods/ephemeralcontainers"]
verbs: ["patch", "update"]
Overwrite Rules​
For better control use overwriteRules
to ignore the automatically created rules. You are responsible for enumerating rules required for vCluster and its plugins to operate. This can be more convenient for managing permissions, as the vCluster Helm chart creates the Role, RoleBinding, and ServiceAccount while giving you complete control over the rules. This example disables cluster role rules and configures specific namespace permissions.
rbac:
role:
enabled: true
overwriteRules:
- apiGroups: [""]
resources: ["pods/status", "pods/ephemeralcontainers"]
verbs: ["patch", "update"]
clusterRole:
enabled: false
Config reference​
rbac
required object pro​
RBAC options for the virtual cluster.
rbac
required object pro​role
required object pro​
Role holds virtual cluster role configuration
role
required object pro​clusterRole
required object pro​
ClusterRole holds virtual cluster cluster role configuration
clusterRole
required object pro​enabled
required string|boolean auto pro​
Enabled defines if the cluster role should be enabled or disabled. If auto, vCluster automatically determines whether the virtual cluster requires a cluster role.
enabled
required string|boolean auto pro​extraRules
required object[] [] pro​
ExtraRules will add rules to the cluster role.
extraRules
required object[] [] pro​overwriteRules
required object[] [] pro​
OverwriteRules will overwrite the cluster role rules completely.
overwriteRules
required object[] [] pro​