ingress-nginx-helm/docs/deploy/rbac.md

# Role Based Access Control (RBAC)

## Overview

This example applies to ingress-nginx-controllers being deployed in an environment with RBAC enabled.

Role Based Access Control is comprised of four layers:

1. `ClusterRole` - permissions assigned to a role that apply to an entire cluster
2. `ClusterRoleBinding` - binding a ClusterRole to a specific account
3. `Role` - permissions assigned to a role that apply to a specific namespace
4. `RoleBinding` - binding a Role to a specific account

In order for RBAC to be applied to an ingress-nginx-controller, that controller
should be assigned to a `ServiceAccount`.  That `ServiceAccount` should be
bound to the `Role`s and `ClusterRole`s defined for the ingress-nginx-controller.

## Service Accounts created in this example

One ServiceAccount is created in this example, `ingress-nginx`.

## Permissions Granted in this example

There are two sets of permissions defined in this example.  Cluster-wide
permissions defined by the `ClusterRole` named `ingress-nginx`, and
namespace specific permissions defined by the `Role` named `ingress-nginx`.

### Cluster Permissions

These permissions are granted in order for the ingress-nginx-controller to be
able to function as an ingress across the cluster.  These permissions are
granted to the ClusterRole named `ingress-nginx`

* `configmaps`, `endpoints`, `nodes`, `pods`, `secrets`: list, watch
* `nodes`: get
* `services`, `ingresses`: get, list, watch
* `events`: create, patch
* `ingresses/status`: update

### Namespace Permissions

These permissions are granted specific to the ingress-nginx namespace.  These
permissions are granted to the Role named `ingress-nginx`

* `configmaps`, `pods`, `secrets`: get
* `endpoints`: get

Furthermore to support leader-election, the ingress-nginx-controller needs to
have access to a `configmap` using the resourceName `ingress-controller-leader-nginx`

> Note that resourceNames can NOT be used to limit requests using the “create”
> verb because authorizers only have access to information that can be obtained
> from the request URL, method, and headers (resource names in a “create” request
> are part of the request body).

* `configmaps`: get, update (for resourceName `ingress-controller-leader-nginx`)
* `configmaps`: create

This resourceName is the concatenation of the `election-id` and the
`ingress-class` as defined by the ingress-controller, which defaults to:

* `election-id`: `ingress-controller-leader`
* `ingress-class`: `nginx`
* `resourceName` : `<election-id>-<ingress-class>`

Please adapt accordingly if you overwrite either parameter when launching the
ingress-nginx-controller.

### Bindings

The ServiceAccount `ingress-nginx` is bound to the Role
`ingress-nginx` and the ClusterRole `ingress-nginx`.

The serviceAccountName associated with the containers in the deployment must
match the serviceAccount. The namespace references in the Deployment metadata, 
container arguments, and POD_NAMESPACE should be in the ingress-nginx namespace.
Move deployment documentation under docs/deploy/ 2018-04-24 10:19:11 +00:00			`# Role Based Access Control (RBAC)`
added rbac example discussed in kubernetes/ingress issue #266 2017-05-22 21:12:23 +00:00
			`## Overview`

Fix names in documentation (#7940) * Fix names in documentation This fixes the documentation to reflect the name change from `nginx-ingress` to `ingress-nginx`. Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> * Revert accidental changelog update Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> 2021-11-28 21:11:22 +00:00			`This example applies to ingress-nginx-controllers being deployed in an environment with RBAC enabled.`
added rbac example discussed in kubernetes/ingress issue #266 2017-05-22 21:12:23 +00:00
			`Role Based Access Control is comprised of four layers:`

Split documentation 2017-10-13 13:55:03 +00:00			1. `ClusterRole` - permissions assigned to a role that apply to an entire cluster
			2. `ClusterRoleBinding` - binding a ClusterRole to a specific account
			3. `Role` - permissions assigned to a role that apply to a specific namespace
			4. `RoleBinding` - binding a Role to a specific account
added rbac example discussed in kubernetes/ingress issue #266 2017-05-22 21:12:23 +00:00
Fix names in documentation (#7940) * Fix names in documentation This fixes the documentation to reflect the name change from `nginx-ingress` to `ingress-nginx`. Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> * Revert accidental changelog update Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> 2021-11-28 21:11:22 +00:00			`In order for RBAC to be applied to an ingress-nginx-controller, that controller`
added rbac example discussed in kubernetes/ingress issue #266 2017-05-22 21:12:23 +00:00			should be assigned to a `ServiceAccount`. That `ServiceAccount` should be
Fix names in documentation (#7940) * Fix names in documentation This fixes the documentation to reflect the name change from `nginx-ingress` to `ingress-nginx`. Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> * Revert accidental changelog update Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> 2021-11-28 21:11:22 +00:00			bound to the `Role`s and `ClusterRole`s defined for the ingress-nginx-controller.
added rbac example discussed in kubernetes/ingress issue #266 2017-05-22 21:12:23 +00:00
			`## Service Accounts created in this example`

Fix names in documentation (#7940) * Fix names in documentation This fixes the documentation to reflect the name change from `nginx-ingress` to `ingress-nginx`. Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> * Revert accidental changelog update Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> 2021-11-28 21:11:22 +00:00			One ServiceAccount is created in this example, `ingress-nginx`.
added rbac example discussed in kubernetes/ingress issue #266 2017-05-22 21:12:23 +00:00
			`## Permissions Granted in this example`

			`There are two sets of permissions defined in this example. Cluster-wide`
Fix names in documentation (#7940) * Fix names in documentation This fixes the documentation to reflect the name change from `nginx-ingress` to `ingress-nginx`. Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> * Revert accidental changelog update Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> 2021-11-28 21:11:22 +00:00			permissions defined by the `ClusterRole` named `ingress-nginx`, and
			namespace specific permissions defined by the `Role` named `ingress-nginx`.
added rbac example discussed in kubernetes/ingress issue #266 2017-05-22 21:12:23 +00:00
			`### Cluster Permissions`

Fix names in documentation (#7940) * Fix names in documentation This fixes the documentation to reflect the name change from `nginx-ingress` to `ingress-nginx`. Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> * Revert accidental changelog update Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> 2021-11-28 21:11:22 +00:00			`These permissions are granted in order for the ingress-nginx-controller to be`
added rbac example discussed in kubernetes/ingress issue #266 2017-05-22 21:12:23 +00:00			`able to function as an ingress across the cluster. These permissions are`
Fix names in documentation (#7940) * Fix names in documentation This fixes the documentation to reflect the name change from `nginx-ingress` to `ingress-nginx`. Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> * Revert accidental changelog update Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> 2021-11-28 21:11:22 +00:00			granted to the ClusterRole named `ingress-nginx`
added rbac example discussed in kubernetes/ingress issue #266 2017-05-22 21:12:23 +00:00
			* `configmaps`, `endpoints`, `nodes`, `pods`, `secrets`: list, watch
Fix #798 - RBAC for leader election Using gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.7 the nginx-controller needs to handle leader-election via configmaps. To perform the leader-election the nginx-controller needs to have the appropiate RBAC permissions. Previously to this fix, the following errors occured: - cannot get configmaps in the namespace "NAMESPACE_PLACEHOLDER". (get configmaps ingress-controller-leader-nginx) - initially creating leader election record: User "system:serviceaccount:NAMESPACE_PLACEHOLDER" cannot create configmaps in the namespace "NAMESPACE_PLACEHOLDER". (post configmaps) fix ingress rbac roles There was 2 things that the current IC (0.9 beta7) needs. The ClusterRole was missing `get nodes`: ``` RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "get" resource "nodes" named "xxx" cluster-wide ``` The Role was missing `update configmaps`: ```RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "update" resource "configmaps" named "ingress-controller-leader-nginx" in namespace "kube-system"``` removed update configmap because of #798 rebased on master, moved get nodes to own rule added get nodes to cluster permissions 2017-06-01 11:47:16 +00:00			* `nodes`: get
added rbac example discussed in kubernetes/ingress issue #266 2017-05-22 21:12:23 +00:00			* `services`, `ingresses`: get, list, watch
			* `events`: create, patch
			* `ingresses/status`: update

			`### Namespace Permissions`

Fix names in documentation (#7940) * Fix names in documentation This fixes the documentation to reflect the name change from `nginx-ingress` to `ingress-nginx`. Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> * Revert accidental changelog update Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> 2021-11-28 21:11:22 +00:00			`These permissions are granted specific to the ingress-nginx namespace. These`
			permissions are granted to the Role named `ingress-nginx`
added rbac example discussed in kubernetes/ingress issue #266 2017-05-22 21:12:23 +00:00
			* `configmaps`, `pods`, `secrets`: get
Update RBAC documentation for `endpoints` (#2139) For the Role named `nginx-ingress-role`, `endpoints` no longer needs or has `create` and `update` permissions. This confused me, so I hope this helps! 2018-02-24 13:31:22 +00:00			* `endpoints`: get
added rbac example discussed in kubernetes/ingress issue #266 2017-05-22 21:12:23 +00:00
Fix names in documentation (#7940) * Fix names in documentation This fixes the documentation to reflect the name change from `nginx-ingress` to `ingress-nginx`. Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> * Revert accidental changelog update Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> 2021-11-28 21:11:22 +00:00			`Furthermore to support leader-election, the ingress-nginx-controller needs to`
Fix #798 - RBAC for leader election Using gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.7 the nginx-controller needs to handle leader-election via configmaps. To perform the leader-election the nginx-controller needs to have the appropiate RBAC permissions. Previously to this fix, the following errors occured: - cannot get configmaps in the namespace "NAMESPACE_PLACEHOLDER". (get configmaps ingress-controller-leader-nginx) - initially creating leader election record: User "system:serviceaccount:NAMESPACE_PLACEHOLDER" cannot create configmaps in the namespace "NAMESPACE_PLACEHOLDER". (post configmaps) fix ingress rbac roles There was 2 things that the current IC (0.9 beta7) needs. The ClusterRole was missing `get nodes`: ``` RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "get" resource "nodes" named "xxx" cluster-wide ``` The Role was missing `update configmaps`: ```RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "update" resource "configmaps" named "ingress-controller-leader-nginx" in namespace "kube-system"``` removed update configmap because of #798 rebased on master, moved get nodes to own rule added get nodes to cluster permissions 2017-06-01 11:47:16 +00:00			have access to a `configmap` using the resourceName `ingress-controller-leader-nginx`

rbac-nginx: resourceNames cannot filter create verb 2017-06-03 09:24:35 +00:00			`> Note that resourceNames can NOT be used to limit requests using the “create”`
			`> verb because authorizers only have access to information that can be obtained`
			`> from the request URL, method, and headers (resource names in a “create” request`
			`> are part of the request body).`

			* `configmaps`: get, update (for resourceName `ingress-controller-leader-nginx`)
			* `configmaps`: create
Fix #798 - RBAC for leader election Using gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.7 the nginx-controller needs to handle leader-election via configmaps. To perform the leader-election the nginx-controller needs to have the appropiate RBAC permissions. Previously to this fix, the following errors occured: - cannot get configmaps in the namespace "NAMESPACE_PLACEHOLDER". (get configmaps ingress-controller-leader-nginx) - initially creating leader election record: User "system:serviceaccount:NAMESPACE_PLACEHOLDER" cannot create configmaps in the namespace "NAMESPACE_PLACEHOLDER". (post configmaps) fix ingress rbac roles There was 2 things that the current IC (0.9 beta7) needs. The ClusterRole was missing `get nodes`: ``` RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "get" resource "nodes" named "xxx" cluster-wide ``` The Role was missing `update configmaps`: ```RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "update" resource "configmaps" named "ingress-controller-leader-nginx" in namespace "kube-system"``` removed update configmap because of #798 rebased on master, moved get nodes to own rule added get nodes to cluster permissions 2017-06-01 11:47:16 +00:00
			This resourceName is the concatenation of the `election-id` and the
Fix minor typo in Role Based Access Control 2017-08-16 21:46:45 +00:00			`ingress-class` as defined by the ingress-controller, which defaults to:
Fix #798 - RBAC for leader election Using gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.7 the nginx-controller needs to handle leader-election via configmaps. To perform the leader-election the nginx-controller needs to have the appropiate RBAC permissions. Previously to this fix, the following errors occured: - cannot get configmaps in the namespace "NAMESPACE_PLACEHOLDER". (get configmaps ingress-controller-leader-nginx) - initially creating leader election record: User "system:serviceaccount:NAMESPACE_PLACEHOLDER" cannot create configmaps in the namespace "NAMESPACE_PLACEHOLDER". (post configmaps) fix ingress rbac roles There was 2 things that the current IC (0.9 beta7) needs. The ClusterRole was missing `get nodes`: ``` RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "get" resource "nodes" named "xxx" cluster-wide ``` The Role was missing `update configmaps`: ```RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "update" resource "configmaps" named "ingress-controller-leader-nginx" in namespace "kube-system"``` removed update configmap because of #798 rebased on master, moved get nodes to own rule added get nodes to cluster permissions 2017-06-01 11:47:16 +00:00
			* `election-id`: `ingress-controller-leader`
			* `ingress-class`: `nginx`
			* `resourceName` : `<election-id>-<ingress-class>`

			`Please adapt accordingly if you overwrite either parameter when launching the`
Fix names in documentation (#7940) * Fix names in documentation This fixes the documentation to reflect the name change from `nginx-ingress` to `ingress-nginx`. Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> * Revert accidental changelog update Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> 2021-11-28 21:11:22 +00:00			`ingress-nginx-controller.`
Fix #798 - RBAC for leader election Using gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.7 the nginx-controller needs to handle leader-election via configmaps. To perform the leader-election the nginx-controller needs to have the appropiate RBAC permissions. Previously to this fix, the following errors occured: - cannot get configmaps in the namespace "NAMESPACE_PLACEHOLDER". (get configmaps ingress-controller-leader-nginx) - initially creating leader election record: User "system:serviceaccount:NAMESPACE_PLACEHOLDER" cannot create configmaps in the namespace "NAMESPACE_PLACEHOLDER". (post configmaps) fix ingress rbac roles There was 2 things that the current IC (0.9 beta7) needs. The ClusterRole was missing `get nodes`: ``` RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "get" resource "nodes" named "xxx" cluster-wide ``` The Role was missing `update configmaps`: ```RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "update" resource "configmaps" named "ingress-controller-leader-nginx" in namespace "kube-system"``` removed update configmap because of #798 rebased on master, moved get nodes to own rule added get nodes to cluster permissions 2017-06-01 11:47:16 +00:00
added rbac example discussed in kubernetes/ingress issue #266 2017-05-22 21:12:23 +00:00			`### Bindings`

Fix names in documentation (#7940) * Fix names in documentation This fixes the documentation to reflect the name change from `nginx-ingress` to `ingress-nginx`. Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> * Revert accidental changelog update Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> 2021-11-28 21:11:22 +00:00			The ServiceAccount `ingress-nginx` is bound to the Role
			`ingress-nginx` and the ClusterRole `ingress-nginx`.
added rbac example discussed in kubernetes/ingress issue #266 2017-05-22 21:12:23 +00:00
			`The serviceAccountName associated with the containers in the deployment must`
Split documentation 2017-10-13 13:55:03 +00:00			`match the serviceAccount. The namespace references in the Deployment metadata,`
Fix names in documentation (#7940) * Fix names in documentation This fixes the documentation to reflect the name change from `nginx-ingress` to `ingress-nginx`. Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> * Revert accidental changelog update Signed-off-by: Reinhard Nägele <unguiculus@gmail.com> 2021-11-28 21:11:22 +00:00			`container arguments, and POD_NAMESPACE should be in the ingress-nginx namespace.`