I understand that I can copy my .kube/config
to my CI/CD server, or just name the ServiceAccount
to allow my CD pipeline to use HELM for deployment.
However, what if I want to allow deployment via Helm, but restrict a lot of other access, like:
... so basically accessing all data in the cluster, except for stateless Docker containers deployed via Helm.
Would it be possible to create a new ClusterRole
with limited rights? What verbs in a ClusterRole
does Helm need at least to function properly?
What rights does Helm need at the least?
It comes down to what your Helm chart is doing to Kubernetes.
ClusterRoles
can be bound to a particular namespace through reference in a RoleBinding
. The admin
, edit
and view
default ClusterRoles
are commonly used in this manner. For more detailed info see this description. For example edit
is a default ClusterRole
which allows read/write access to most objects in a namespace. It does not allow viewing or modifying Roles
or RoleBindings
; and granting a user cluster-admin
access at the namespace scope provides full control over every resource in the namespace, including the namespace itself.
You can also restrict a user's access to a particular namespace by using either the edit
or the admin
role. See this example.
The permissions strategy could also depend on what objects will be created by the installation. The user will need all access to those API objects that will be managed by helm installations. Using RBAC Authorization has this concept explained in more detail with several examples that you could use as a reference. Also, this source would be helpful.