6.8 KiB
Kubernetes permissions for MIZU
This document describes in details all permissions required for full and correct operation of Mizu.
Editting permissions
During installation, Mizu creates a ServiceAccount and the roles it requires. No further action is required.
However, if there is a need, it is possible to make changes to Mizu permissions.
Adding permissions on top of Mizu's defaults
Mizu pods use the ServiceAccount mizu-service-account. Permissions can be added to Mizu by creating ClusterRoleBindings and RoleBindings that target that ServiceAccount.
For example, in order to add a PodSecurityPolicy which allows Mizu to run hostNetwork and privileged pods, create the following resources:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: my-mizu-psp
spec:
hostNetwork: true
privileged: true
allowedCapabilities:
- "*"
fsGroup:
rule: RunAsAny
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- "*"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: my-mizu-clusterrole
rules:
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- use
resourceNames:
- my-mizu-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: my-mizu-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: my-mizu-clusterrole
subjects:
- kind: ServiceAccount
name: mizu-service-account # The service account used by Mizu
namespace: mizu
With this setup, when Mizu starts and creates mizu-service-account, this account will be subject to my-mizu-psp via my-mizu-clusterrolebinding.
When Mizu cleans up resources, the above resources will remain available for future executions.
Replacing Mizu's default permissions with custom permissions
Mizu does not create its ServiceAccounts, ClusterRoles, ClusterRoleBindings, Roles or RoleBindings if resources by the same name already exist. In order to replace Mizu's defaults, simply create your resources before running Mizu.
For example, creating a ClusterRole by the name of mizu-cluster-role before running Mizu will cause Mizu to use that ClusterRole instead of the default one created by Mizu.
Notes:
- The resource names must match Mizu's default names.
- User-managed resources must not have the label
app.kubernetes.io/managed-by=mizu. Remove the label or set it to another value.
List of permissions
We broke down this list into few categories:
- Required - what is needed for
mizuto run properly on your k8s cluster - Optional - permissions needed for proper name resolving for service & pod IPs
- addition required for policy validation
Required permissions
Mizu needs following permissions on your Kubernetes cluster to run properly
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- watch
- create
- delete
- apiGroups:
- ""
resources:
- services
verbs:
- create
- delete
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- create
- patch
- delete
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ""
resources:
- services/proxy
verbs:
- get
Permissions required running with install command or (optional) for service / pod name resolving
Mandatory permissions for running with install command.
Optional for service/pod name resolving in non install standalone
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- create
- patch
- delete
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ""
resources:
- services/proxy
verbs:
- get
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- create
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- get
- create
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
verbs:
- get
- create
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
verbs:
- get
- create
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- get
- create
- delete
- apiGroups:
- apps
- extensions
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- apps
- extensions
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
- apps
- extensions
resources:
- endpoints
verbs:
- get
- list
- watch
Permissions for Policy rules validation feature (opt)
Optionally, in order to use the policy rules validation feature, Mizu requires the following additional permissions:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- create
- delete
Namespace-Restricted mode
Alternatively, in order to restrict Mizu to one namespace only (by setting agent.namespace in the config file), Mizu needs the following permissions in that namespace:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ""
resources:
- services
verbs:
- get
- create
- delete
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- create
- patch
- delete
- apiGroups:
- ""
resources:
- services/proxy
verbs:
- get
Name resolving in Namespace-Restricted mode (opt)
To restrict Mizu to one namespace while also resolving IPs, Mizu needs the following permissions in that namespace:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- create
- patch
- delete
- apiGroups:
- ""
resources:
- services/proxy
verbs:
- get
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- create
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
verbs:
- get
- create
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- get
- create
- delete
- apiGroups:
- apps
- extensions
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- apps
- extensions
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
- apps
- extensions
resources:
- endpoints
verbs:
- get
- list
- watch