diff --git a/docs/chart_best_practices/README.md b/docs/chart_best_practices/README.md index 22908871d..58cc65407 100644 --- a/docs/chart_best_practices/README.md +++ b/docs/chart_best_practices/README.md @@ -16,5 +16,6 @@ may find that their internal interests override our suggestions here. - [Labels and Annotations](labels.md): Helm has a _heritage_ of labeling and annotating. - Kubernetes Resources: - [Pods and Pod Specs](pods.md): See the best practices for working with pod specifications. + - [Role-Based Access Control](rbac.md): Guidance on creating and using service accounts, roles, and role bindings. - [Third Party Resources](third_party_resources.md): Third Party Resources (TPRs) have their own associated best practices. diff --git a/docs/chart_best_practices/rbac.md b/docs/chart_best_practices/rbac.md new file mode 100644 index 000000000..4b84b3d42 --- /dev/null +++ b/docs/chart_best_practices/rbac.md @@ -0,0 +1,28 @@ +# Role-Based Access Control + +This part of the Best Practices Guide discusses the creation and formatting of RBAC resources in chart manifests. + +RBAC resources are: + +- ServiceAccount (namespaced) +- Role (namespaced) +- ClusterRole +- RoleBinding (namespaced) +- ClusterRoleBinding + +## RBAC-related values + +RBAC-related values in a chart should be namespaced under an `rbac` top-level key. At a minimum this key should contain these sub-keys (explained below): + +- `create` +- `serviceAccountName` + +Other keys under `rbac` may also be listed and used as well. + +## RBAC Resources Should be Created by Default + +`rbac.create` should be a boolean value controlling whether RBAC resources are created. The default should be `true`. Users who wish to manage RBAC access controls themselves can set this value to `false` (in which case see below). + +## Using RBAC Resources + +`rbac.serviceAccountName` should set the name of the ServiceAccount to be used by access-controlled resources created by the chart. If `rbac.create` is true, then a ServiceAccount with this name should be created. If `rbac.create` is false, then it should not be created, but it should still be associated with the same resources so that manually-created RBAC resources created later that reference it will function correctly. (Note that this effectively makes `rbac.serviceAccountName` a required value in these charts.)