We have multiple development teams who work and deploy their applications on kuberenetes. We use helm to deploy our application on kubernetes.
Currently the challenge we are facing with one of our shared clusters. We would like to deploy tiller separate for each team. So they have access to their resources. default Cluster-admin role will not help us and we don't want that.
Let's say we have multiple namespaces for one team. I would want to deploy tiller which has permission to work with resources exist or need to be created in these namespaces.
Team > multiple namespaces tiller using the service account that has the role ( having full access to namespaces - not all ) associated with it.
I would want to deploy tiller which has permission to work with resources exist or need to be created in these namespaces
According to the fine manual, you'll need a ClusterRole
per team, defining the kinds of operations on the kinds of resources, but then use a RoleBinding
to scope those rules to a specific namespace. The two ends of the binding target will be the team's tiller's ServiceAccount
and the team's ClusterRole
, and then one RoleBinding
instance per Namespace
(even though they will be textually identical except for the namespace:
portion)
I actually would expect you could make an internal helm chart that would automate the specifics of that relationship, and then helm install --name team-alpha --set team-namespaces=ns-alpha,ns-beta my-awesome-chart
and then grant your tiller cluster-admin
or whatever more restrictive ClusterRole
you wish.