RBAC permissions required for helm deployment

9/22/2020

I'm in the process of setting up RBAC for our cluster, and am setting up two roles:

  • administrators
  • developers

Administrators I'm happy with, they basically have full access to everything, but I'm not sure what permissions I am required to give to the developer users to be able to perform deployments.

We're using Helm (3) for deployments, and I want developers to be able to redeploy the app (not the initial deployment) but I'm not sure what permissions would be required for this. What I'm not certain of is how Helm manages the actual deployment. Things like pods for example. Does the user require pod creation permission, or would that not be required since pods are generally handled by the deployment resource itself?

-- PaReeOhNos
kubernetes
rbac

1 Answer

9/23/2020

If your charts are creating only deployment objects, the pods lifecycle is managed by the Deployment controller. Helm3 needs a a little elevated privileges to run, as the installation metadata (version history, etc) is managed in Secrets so the user running the installation command definitely needs full access to the Secrets object. Furthermore, the permissions strategy also depends on what objects will be created by the installation. The user will need all access to those API objects that will be managed by helm installations. A good strategy would be to manage helm releases using Helm Operator https://github.com/fluxcd/helm-operator. In this way, you'll only have to grant full acess over the HelmRelease CR and will be able to protect other sensitive secrets and objects in the namespace.

-- tuxiedev
Source: StackOverflow