Deploy from CI/CD via HELM to external Kubernetes cluster with limited rights

6/16/2021

I understand that I can copy my .kube/config to my CI/CD server, or just name the ServiceAccount to allow my CD pipeline to use HELM for deployment.

However, what if I want to allow deployment via Helm, but restrict a lot of other access, like:

  • reading data from pods or a deployed database
  • port-forward services

... so basically accessing all data in the cluster, except for stateless Docker containers deployed via Helm.

Would it be possible to create a new ClusterRole with limited rights? What verbs in a ClusterRole does Helm need at least to function properly?

What rights does Helm need at the least?

-- rStorms
kubernetes
kubernetes-helm
rbac

1 Answer

6/29/2021

It comes down to what your Helm chart is doing to Kubernetes.

ClusterRoles can be bound to a particular namespace through reference in a RoleBinding. The admin, edit and view default ClusterRoles are commonly used in this manner. For more detailed info see this description. For example edit is a default ClusterRole which allows read/write access to most objects in a namespace. It does not allow viewing or modifying Roles or RoleBindings; and granting a user cluster-admin access at the namespace scope provides full control over every resource in the namespace, including the namespace itself.

You can also restrict a user's access to a particular namespace by using either the edit or the admin role. See this example.

The permissions strategy could also depend on what objects will be created by the installation. The user will need all access to those API objects that will be managed by helm installations. Using RBAC Authorization has this concept explained in more detail with several examples that you could use as a reference. Also, this source would be helpful.

-- WytrzymaƂy Wiktor
Source: StackOverflow