From 41415e5c42ac0ad40c59bcca8f0115910bc106e3 Mon Sep 17 00:00:00 2001 From: omkensey Date: Tue, 21 Nov 2017 23:05:55 -0500 Subject: [PATCH] RBAC best practices (#3184) Document chart best practices related to RBAC. Fixes #3098. --- docs/chart_best_practices/README.md | 1 + docs/chart_best_practices/rbac.md | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 docs/chart_best_practices/rbac.md diff --git a/docs/chart_best_practices/README.md b/docs/chart_best_practices/README.md index 22908871d..58cc65407 100644 --- a/docs/chart_best_practices/README.md +++ b/docs/chart_best_practices/README.md @@ -16,5 +16,6 @@ may find that their internal interests override our suggestions here. - [Labels and Annotations](labels.md): Helm has a _heritage_ of labeling and annotating. - Kubernetes Resources: - [Pods and Pod Specs](pods.md): See the best practices for working with pod specifications. + - [Role-Based Access Control](rbac.md): Guidance on creating and using service accounts, roles, and role bindings. - [Third Party Resources](third_party_resources.md): Third Party Resources (TPRs) have their own associated best practices. diff --git a/docs/chart_best_practices/rbac.md b/docs/chart_best_practices/rbac.md new file mode 100644 index 000000000..4b84b3d42 --- /dev/null +++ b/docs/chart_best_practices/rbac.md @@ -0,0 +1,28 @@ +# Role-Based Access Control + +This part of the Best Practices Guide discusses the creation and formatting of RBAC resources in chart manifests. + +RBAC resources are: + +- ServiceAccount (namespaced) +- Role (namespaced) +- ClusterRole +- RoleBinding (namespaced) +- ClusterRoleBinding + +## RBAC-related values + +RBAC-related values in a chart should be namespaced under an `rbac` top-level key. At a minimum this key should contain these sub-keys (explained below): + +- `create` +- `serviceAccountName` + +Other keys under `rbac` may also be listed and used as well. + +## RBAC Resources Should be Created by Default + +`rbac.create` should be a boolean value controlling whether RBAC resources are created. The default should be `true`. Users who wish to manage RBAC access controls themselves can set this value to `false` (in which case see below). + +## Using RBAC Resources + +`rbac.serviceAccountName` should set the name of the ServiceAccount to be used by access-controlled resources created by the chart. If `rbac.create` is true, then a ServiceAccount with this name should be created. If `rbac.create` is false, then it should not be created, but it should still be associated with the same resources so that manually-created RBAC resources created later that reference it will function correctly. (Note that this effectively makes `rbac.serviceAccountName` a required value in these charts.)