Role-Based Access Control (RBAC)¶
Configure RBAC for kMetal platform and tenant cluster access control.
Platform RBAC¶
Admin Roles¶
Platform Administrator
# platform-admin-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kmetal-platform-admin
rules:
- apiGroups: ["kamaji.clastix.io"]
resources: ["tenantcontrolplanes", "datastores"]
verbs: ["*"]
- apiGroups: ["cluster.x-k8s.io"]
resources: ["clusters", "machines", "machinedeployments"]
verbs: ["*"]
- apiGroups: ["infrastructure.cluster.x-k8s.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: [""]
resources: ["secrets", "configmaps"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kmetal-platform-admin-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kmetal-platform-admin
subjects:
- kind: Group
name: platform-admins
apiGroup: rbac.authorization.k8s.io
Platform Viewer
# platform-viewer-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kmetal-platform-viewer
rules:
- apiGroups: ["kamaji.clastix.io"]
resources: ["tenantcontrolplanes", "datastores"]
verbs: ["get", "list", "watch"]
- apiGroups: ["cluster.x-k8s.io"]
resources: ["clusters", "machines", "machinedeployments"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods", "services", "events"]
verbs: ["get", "list", "watch"]
Tenant Operator Roles¶
Cluster Creator
# tenant-cluster-creator.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kmetal-cluster-creator
rules:
- apiGroups: ["kamaji.clastix.io"]
resources: ["tenantcontrolplanes"]
verbs: ["create", "get", "list", "watch", "update", "patch"]
- apiGroups: ["cluster.x-k8s.io"]
resources: ["clusters", "machinedeployments"]
verbs: ["create", "get", "list", "watch", "update", "patch"]
- apiGroups: ["infrastructure.cluster.x-k8s.io"]
resources: ["*"]
verbs: ["create", "get", "list", "watch", "update", "patch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "get", "list"]
resourceNames: ["*-kubeconfig"]
Cluster Manager
# tenant-cluster-manager.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kmetal-cluster-manager
namespace: tenant-namespace
rules:
- apiGroups: ["kamaji.clastix.io"]
resources: ["tenantcontrolplanes"]
verbs: ["get", "list", "watch", "update", "patch", "delete"]
- apiGroups: ["cluster.x-k8s.io"]
resources: ["clusters", "machines", "machinedeployments"]
verbs: ["get", "list", "watch", "update", "patch", "delete", "scale"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"]
resourceNames: ["*-kubeconfig"]
Tenant Cluster RBAC¶
Namespace Admin¶
# tenant-namespace-admin.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-admin
namespace: application-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- kind: User
name: dev-team@company.com
apiGroup: rbac.authorization.k8s.io
Application Developer¶
# app-developer-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: app-developer
namespace: application-namespace
rules:
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "statefulsets", "daemonsets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods", "services", "configmaps", "secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods/log", "pods/status"]
verbs: ["get", "list"]
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
OIDC Integration¶
Configure OIDC Provider¶
t.b.d.
OIDC on the tenant api-server is set via apiServer extra-args on the underlying Kamaji control plane. The kubevirt-kubeadm ClusterClass on the under cluster does not currently expose these flags as topology variables; configuring OIDC therefore requires either:
- the platform admin to extend the ClusterClass with an OIDC variable that pipes into
apiServer.extraArgs, or - direct patching of the auto-created
KamajiControlPlane(will be reverted by CACPK if the topology re-applies).
A worked example with the canonical extension point is t.b.d. in this section.
Create OIDC Group Bindings¶
# oidc-group-bindings.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: oidc-cluster-admins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: Group
name: oidc:admins
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: oidc-developers
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: edit
subjects:
- kind: Group
name: oidc:developers
apiGroup: rbac.authorization.k8s.io
Service Account Management¶
Platform Service Accounts¶
# platform-sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: kmetal-automation
namespace: kmetal-flux
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kmetal-automation-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kmetal-platform-admin
subjects:
- kind: ServiceAccount
name: kmetal-automation
namespace: kmetal-flux
---
apiVersion: v1
kind: Secret
metadata:
name: kmetal-automation-token
namespace: kmetal-flux
annotations:
kubernetes.io/service-account.name: kmetal-automation
type: kubernetes.io/service-account-token
Tenant Service Accounts¶
# tenant-sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: ci-cd-deployer
namespace: application-namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ci-cd-deployer-binding
namespace: application-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: app-developer
subjects:
- kind: ServiceAccount
name: ci-cd-deployer
namespace: application-namespace
Audit Logging¶
Enable Audit Logging¶
# audit-policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
resources:
- group: "kamaji.clastix.io"
resources: ["tenantcontrolplanes"]
- level: RequestResponse
verbs: ["create", "update", "patch", "delete"]
resources:
- group: "cluster.x-k8s.io"
- level: Metadata
omitStages:
- RequestReceived
Configure Audit Webhook¶
t.b.d.
Audit policy and webhook flags on the tenant api-server are set via apiServer extra-args plus mounted volumes for the policy / webhook config files. The current kubevirt-kubeadm ClusterClass does not expose these as topology variables; the audit webhook setup is t.b.d. until the ClusterClass is extended with audit variables (or until a direct-patch escape hatch is documented).
Monitoring RBAC¶
Check User Permissions¶
# Check current user permissions
kubectl auth can-i create tenantcontrolplanes
# Check specific user permissions
kubectl auth can-i list pods --as=user@company.com
# Check service account permissions
kubectl auth can-i delete deployments \
--as=system:serviceaccount:default:ci-cd-deployer \
-n application-namespace
Audit RBAC Configuration¶
# List all ClusterRoles
kubectl get clusterroles | grep kmetal
# List all ClusterRoleBindings
kubectl get clusterrolebindings | grep kmetal
# Check who can perform actions
kubectl auth can-i --list --as=user@company.com
# Review Role bindings in namespace
kubectl get rolebindings -n tenant-namespace -o wide