OSSEnterprise
Kubernetes RBAC
ServiceAccount, ClusterRole, and permission requirements for knodex
Overview
knodex requires Kubernetes RBAC permissions to:
- Read ResourceGraphDefinitions (RGDs) across all namespaces
- Create/Read/Delete RGD Instances in project namespaces
- Manage Secrets for storing projects and repositories
- Create Namespaces for projects
ServiceAccount
The Helm chart automatically creates a ServiceAccount:
apiVersion: v1
kind: ServiceAccount
metadata:
name: knodex
namespace: knodexRequired Permissions
Cluster-Level Permissions
knodex requires ClusterRole for reading RGDs across all namespaces:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: knodex
rules:
# Read ResourceGraphDefinitions (RGDs)
- apiGroups: ["kro.run"]
resources: ["resourcegraphdefinitions"]
verbs: ["get", "list", "watch"]
# Manage RGD instances
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
# Manage namespaces for projects
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "create", "delete"]
# Read pods and services for API discovery and diagnostics
- apiGroups: [""]
resources: ["pods", "services", "configmaps", "secrets"]
verbs: ["get", "list"]
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets", "daemonsets"]
verbs: ["get", "list"]
# knodex secrets management
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: knodex
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: knodex
subjects:
- kind: ServiceAccount
name: knodex
namespace: knodexProject Namespace Permissions
For each project namespace, knodex needs full control:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: knodex-project
namespace: kro-engineering # Created per project
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: knodex-project
namespace: kro-engineering
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: knodex-project
subjects:
- kind: ServiceAccount
name: knodex
namespace: knodexUser authorization is handled by Casbin policies defined in Project CRD .spec.roles, not Kubernetes RBAC. See RBAC Configuration Guide for details on configuring user permissions.
Verification
Check ServiceAccount
kubectl get serviceaccount knodex -n knodexCheck ClusterRole
kubectl get clusterrole knodex
kubectl describe clusterrole knodexCheck ClusterRoleBinding
kubectl get clusterrolebinding knodexTest Permissions
# Test as ServiceAccount
kubectl auth can-i get resourcegraphdefinitions \
--as=system:serviceaccount:knodex:knodex \
--all-namespaces
# Should return: yesVerify Secrets
# List project secrets
kubectl get secrets -n knodex -l knodex.io/secret-type=project
# List repository secrets
kubectl get secrets -n knodex -l knodex.io/secret-type=repository
# List user configs
kubectl get configmaps -n knodex -l knodex.io/config-type=userSecurity Considerations
Principle of Least Privilege
While knodex requires broad permissions to manage RGDs, you can restrict:
- Namespace Access: Limit to specific namespaces using Role instead of ClusterRole
- Resource Types: Restrict to specific RGD types
- Verbs: Use read-only for sensitive resources
Example: Restricted Permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: knodex-restricted
rules:
# Read-only RGDs
- apiGroups: ["kro.run"]
resources: ["resourcegraphdefinitions"]
verbs: ["get", "list", "watch"]
# Manage only specific instance types
- apiGroups: ["example.com"]
resources: ["webapplications", "databases"]
verbs: ["get", "list", "watch", "create", "delete"]
# No access to secrets
- apiGroups: [""]
resources: ["secrets"]
verbs: [] # Explicitly denyTroubleshooting
"Forbidden: User Cannot List ResourceGraphDefinitions"
Cause: Missing ClusterRole permissions
Solution:
# Check ClusterRoleBinding
kubectl get clusterrolebinding knodex
# Re-apply RBAC
kubectl apply -f clusterrole.yaml
kubectl apply -f clusterrolebinding.yaml
# Restart server
kubectl rollout restart deployment knodex-server -n knodex"Cannot Create Namespace for Project"
Cause: ServiceAccount lacks namespace creation permission
Solution:
# Add to ClusterRole
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["create", "delete"]Next: Troubleshooting Guide →