Merge pull request #1275 from jcmoraisjr/jm-haproxy-rbac

HAProxy Ingress RBAC sample
2017-08-30 20:51:27 -04:00 · 2017-08-30 20:51:27 -04:00 · ae44d8ec05
commit ae44d8ec05
parent 58c94d40e4 b1980c8fbd
2 changed files with 213 additions and 0 deletions
--- a/examples/rbac/haproxy/README.md
+++ b/examples/rbac/haproxy/README.md
@ -0,0 +1,80 @@
 # Role Based Access Control
 This example demonstrates how to authorize an ingress controller on a cluster
 with role based access control.
 ## Overview
 This example applies to ingress controllers being deployed in an environment with
 [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) enabled.
 ## Service Account created in this example
 One ServiceAccount is created in this example, `ingress-controller`. See
 [Using cert based authentication](#using-cert-based-authentication)
 below if using client cert authentication.
 ## Permissions Granted in this example
 There are two sets of permissions defined in this example.  Cluster-wide
 permissions defined by a `ClusterRole` and namespace specific permissions
 defined by a `Role`, both named `ingress-controller`.
 ### Cluster Permissions
 These permissions are granted in order for the ingress-controller to be
 able to function as an ingress across the cluster. These permissions are
 granted to the ClusterRole:
 * `configmaps`, `endpoints`, `nodes`, `pods`, `secrets`: list, watch
 * `nodes`: get
 * `services`, `ingresses`: get, list, watch
 * `events`: create, patch
 * `ingresses/status`: update
 ### Namespace Permissions
 These permissions are granted specific to the `ingress-controller` namespace.
 The Role permissions are:
 * `configmaps`, `pods`, `secrets`: get
 * `endpoints`: create, get, update
 Furthermore to support leader-election, the ingress controller needs to
 have access to a `configmap` in the `ingress-controller` namespace:
 * `configmaps`: get, update, create
 ## Namespace created in this example
 The `Namespace` named `ingress-controller` is defined in this example. The
 namespace name can be changed arbitrarily as long as all of the references
 change as well.
 ## Usage
 1. Create the `Namespace`, `Service Account`, `ClusterRole`, `Role`,
 `ClusterRoleBinding`, and `RoleBinding`:
 ```console
 $ kubectl create -f ingress-controller-rbac.yml
 ```
 2. Deploy the ingress controller. The deployment should be configured to use
 the `ingress-controller` service account name if not using kubeconfig and
 client cert based authentication. Add the `serviceAccountName` to the pod
 template spec:
 ```yaml
 spec:
  template:
    spec:
      serviceAccountName: ingress-controller
 ```
 ## Using cert based authentication
 A client certificate based authentication can also be used with the following changes:
 1. No need to add the `serviceAccountName` to the pod template spec.
 2. Sign a client certificate using `ingress-controller` as it's common name.
--- a/examples/rbac/haproxy/ingress-controller-rbac.yml
+++ b/examples/rbac/haproxy/ingress-controller-rbac.yml
@ -0,0 +1,133 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: ingress-controller
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: ingress-controller
  namespace: ingress-controller
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: ingress-controller
 rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses/status
    verbs:
      - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
  name: ingress-controller
  namespace: ingress-controller
 rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - pods
      - secrets
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get
      - create
      - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: ingress-controller
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-controller
 subjects:
  - kind: ServiceAccount
    name: ingress-controller
    namespace: ingress-controller
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: ingress-controller
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: ingress-controller
  namespace: ingress-controller
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-controller
 subjects:
  - kind: ServiceAccount
    name: ingress-controller
    namespace: ingress-controller
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: ingress-controller