RBAC best practices (#3184)

Document chart best practices related to RBAC.

Fixes #3098.
pull/3183/head
omkensey 7 years ago committed by Matt Butcher
parent 79ccafde2b
commit 41415e5c42

@ -16,5 +16,6 @@ may find that their internal interests override our suggestions here.
- [Labels and Annotations](labels.md): Helm has a _heritage_ of labeling and annotating. - [Labels and Annotations](labels.md): Helm has a _heritage_ of labeling and annotating.
- Kubernetes Resources: - Kubernetes Resources:
- [Pods and Pod Specs](pods.md): See the best practices for working with pod specifications. - [Pods and Pod Specs](pods.md): See the best practices for working with pod specifications.
- [Role-Based Access Control](rbac.md): Guidance on creating and using service accounts, roles, and role bindings.
- [Third Party Resources](third_party_resources.md): Third Party Resources (TPRs) have their own associated best practices. - [Third Party Resources](third_party_resources.md): Third Party Resources (TPRs) have their own associated best practices.

@ -0,0 +1,28 @@
# Role-Based Access Control
This part of the Best Practices Guide discusses the creation and formatting of RBAC resources in chart manifests.
RBAC resources are:
- ServiceAccount (namespaced)
- Role (namespaced)
- ClusterRole
- RoleBinding (namespaced)
- ClusterRoleBinding
## RBAC-related values
RBAC-related values in a chart should be namespaced under an `rbac` top-level key. At a minimum this key should contain these sub-keys (explained below):
- `create`
- `serviceAccountName`
Other keys under `rbac` may also be listed and used as well.
## RBAC Resources Should be Created by Default
`rbac.create` should be a boolean value controlling whether RBAC resources are created. The default should be `true`. Users who wish to manage RBAC access controls themselves can set this value to `false` (in which case see below).
## Using RBAC Resources
`rbac.serviceAccountName` should set the name of the ServiceAccount to be used by access-controlled resources created by the chart. If `rbac.create` is true, then a ServiceAccount with this name should be created. If `rbac.create` is false, then it should not be created, but it should still be associated with the same resources so that manually-created RBAC resources created later that reference it will function correctly. (Note that this effectively makes `rbac.serviceAccountName` a required value in these charts.)
Loading…
Cancel
Save