Tiller Rbac

Tiller with RBAC #

In previous example we installed tiller in kube-system namespace. It has cluster-admin previledge. That approach is not suitable if we have several departments using the same cluster. Assume we have 3 departments and each department need to deploy in your GKE cluster. We cannot grant access to the tiller account (which has cluster admin previledge). Therefore, we create three namespaces for each department and deploy tiller in each namespace with RBAC permission.

Design #

We will have 3 namespaces

  • Travel

  • Commerce

  • Hotel

We will have 4 GCP service accounts

  • gke-cluster-admin

    IAM ROLE

    • Kubernetes Engine Cluster Admin
    • Kuberneted Engine Admin

    RBAC ROLE

    • cluster-admin

  • gke-travel-admin

    IAM ROLE

    • Kubernetes Engine Viewer

    RBAC ROLE

    • admin

  • gke-commerce-admin

    IAM ROLE

    • Kubernetes Engine Viewer

    RBAC ROLE

    • admin

  • gke-hotel-admin

    IAM ROLE

    • Kubernetes Engine Viewer

    RBAC ROLE

    • admin

Create Cluster Admin #

  • Create service account ‘gke-cluster-admin’ with these two roles Kubernetes Engine Cluster Admin,Kuberneted Engine Admin

  • Download the service account json (gke-cluster-admin.json)

  • Grant cluster-admin RBAC to the user gke-cluster-admin.json

kubectl create clusterrolebinding cluster-admin-binding     --clusterrole=cluster-admin     --user=gke-cluster-admin@<project-name>.iam.gserviceaccount.com

Login to gcp using Cluster Admin service account and then login to the gke cluster #

gcloud auth activate-service-account --key-file=gke-cluster-admin.json

gcloud container clusters get-credentials <cluster-name> --project <project-name>

Create namespaces # 

kubectl create namespace travel
kubectl create namespace commerce
kubectl create namespace hotel

Screenshot

Create Service accounts for each namespace #

If you need to segregate the permissions tiller has, you will need to create a tiller in every namespace and tie a specific service account to it

kubectl create serviceaccount tiller --namespace travel
kubectl create serviceaccount tiller --namespace commerce
kubectl create serviceaccount tiller --namespace hotel

Create ’tiller-manager’ RBAC role for each namespace #

role-tiller.yaml

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tiller-manager
  namespace: <namespace>
rules:
- apiGroups: ["", "batch", "extensions", "apps", "rbac.authorization.k8s.io"]
  resources: ["*"]
  verbs: ["*"]

kubectl create -f roler-tiller.yaml

Create RoleBinding for tiller in each namespace #

rolebinding-tiller.yaml

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tiller-binding
  namespace: <namespace>
subjects:
- kind: ServiceAccount
  name: tiller
  namespace: <namespace>
roleRef:
  kind: Role
  name: tiller-manager
  apiGroup: rbac.authorization.k8s.io

Create 3 IAM Service Accounts for namespaces #

Create 3 IAM service accounts with ‘Kubernetes Engine Viewer’ Role. And download the json key files

  • gke-travel-admin

  • gke-hotel-admin

  • gke-commerece-admin

Create RoleBinfing for each above user #

We assign admin role for the namespace

rb-travel-admin.yaml

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: travel-admin
  namespace: travel
subjects:
- kind: User
  name: travel-gke-admin@<project-name>.iam.gserviceaccount.com
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: <name>
  namespace: <namespace>
subjects:
- kind: User
  name: <user email of serivce account>
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io

Create a Rolebinding for tiller #

Here we grand admin permisson to the service account tiller in each namespace

kubectl create rolebinding <name-for-role-binding> --clusterrole=admin --serviceaccount=<namespace>:<service-account-name> --namespace=<namespace>

kubectl create rolebinding admin-tiller-hotel --clusterrole=admin --serviceaccount=hotel:tiller --namespace=hotel

kubectl create rolebinding admin-tiller-travel --clusterrole=admin --serviceaccount=travel:tiller --namespace=travel

kubectl create rolebinding admin-tiller-commerce --clusterrole=admin --serviceaccount=commerce:tiller --namespace=commerce

Intialize helm in each namespace # 

helm init --service-account tiller --tiller-namespace travel
helm init --service-account tiller --tiller-namespace hotel
helm init --service-account tiller --tiller-namespace commerce

Install app using tiller account #

Login to the gke using namespace admin service account (gke-travel-admin,gke-hotel-admin,gke-commerce-admin)

gcloud auth activate-service-account --key-file=gke-travel-admin.json

gcloud container clusters get-credentials <cluster-name> --project <project-name>

helm install my-app/ --name <name-for-helm>  --tiller-namespace <namespace-of-tiller> --namespace <namespace-where-you-want-to-deploy-the-app>


helm install my-app/ --name test-hotel-my-app  --tiller-namespace hotel --namespace hotel

helm install my-app/ --name test-commerce-bak-my-app  --tiller-namespace travel --namespace commerce

helm install my-app/ --name test-travel-bak-my-app  --tiller-namespace travel --namespace travel