RBAC
Most rules required to operate your vCluster are automatically generated by enabling resource syncing.
When enabled, the following config fields may adjust default rules:
- controlPlane.advanced.virtualScheduler: adds required read permissions for the virtual scheduler
- networking.replicateServices.fromHost: adds required permissions to manage endpoints and services
- integrations.metrics.proxy.nodes: adds required read permissions for node resources
- plugins: adds
rolesandclusterRolesdefined by each plugin - experimental.multiNamespaceMode: adds required permissions for vCluster to manage namespaces and service accounts
- experimental.genericSync: adds
extraRulesdefined by generic sync
Disable RBAC​
In environments with strict controls where users cannot create service accounts, you may configure vCluster to use a managed service account. An administrator would be responsible for managing the Role, RoleBinding, ClusterRole, ClusterRoleBinding, and ServiceAccount resources. After you create these, update the vcluster.yaml to disable RBAC, and configure the control plane to use the managed ServiceAccount:
controlPlane:
advanced:
serviceAccount:
name: custom-vc-sa
rbac:
role:
enabled: false
clusterRole:
enabled: false
Alternatively, you may disable ClusterRole creation, as many users do not have the required permissions to create ClusterRole resources:
rbac:
clusterRole:
enabled: false
Extra Rules​
Configure extra rules for when the automatically generated rules, plugin rules, and genericSync rules are insufficient. The usage of extraRules should be rare, but this example shows its usage.
rbac:
role:
enabled: true
extraRules:
- apiGroups: [""]
resources: ["pods/status", "pods/ephemeralcontainers"]
verbs: ["patch", "update"]
Overwrite Rules​
For better control use overwriteRules to ignore the automatically created rules. You are responsible for enumerating rules required for vCluster and its plugins to operate. This can be more convenient for managing permissions, as the vCluster Helm chart creates the Role, RoleBinding, and ServiceAccount while giving you complete control over the rules. This example disables cluster role rules and configures specific namespace permissions.
rbac:
role:
enabled: true
overwriteRules:
- apiGroups: [""]
resources: ["pods/status", "pods/ephemeralcontainers"]
verbs: ["patch", "update"]
clusterRole:
enabled: false
Config reference​
rbac required object pro​
RBAC options for the virtual cluster.
rbac required object pro​role required object pro​
Role holds virtual cluster role configuration
role required object pro​clusterRole required object pro​
ClusterRole holds virtual cluster cluster role configuration
clusterRole required object pro​enabled required string|boolean auto pro​
Enabled defines if the cluster role should be enabled or disabled. If auto, vCluster automatically determines whether the virtual cluster requires a cluster role.
enabled required string|boolean auto pro​extraRules required object[] [] pro​
ExtraRules will add rules to the cluster role.
extraRules required object[] [] pro​overwriteRules required object[] [] pro​
OverwriteRules will overwrite the cluster role rules completely.
overwriteRules required object[] [] pro​