RBAC roles and rolebindings for k8s actions


#1

Hi everyone,

Has anyone figured out how Buddy communicates with a GKE cluster during setup and execution of the “Kubernetes Set Image” action? I am trying to create a RBAC profile but I can’t find out how Buddy talks to my cluster. Looked through all service accounts and was digging through log files for quite some time. Nothing.

My cluster has RBAC enabled (=Legacy authorization: Disabled)
image

With a cluster that still uses legacy authorization, it works fine. But obviously, legacy authorization is nothing one wants in production.

The cluster is recognized just fine (sparing you the details for privacy reasons)

But refreshing the namespaces does not work with RBAC enabled clusters:

I am fine with creating an RBAc file, although I am not keen on that boring task. But I currently I am stuck and can’t even find out how Buddy is authenticating at all. I hope this is not some crazy gcloud wrapping magic?!

Ideas anyone?

Cheers

Dan


#2

Further research showed me that the authorization from Buddy towards my Google account is an account-wide, visible at https://myaccount.google.com/security#connectedapps

Now the question remains, what service account does this represent in the GKE clusters? What entity to grant the RBAC privileges too?


#3

Hi, I just got stuck on this too. Did you figure it out? Thanks


#4

Facing exactly the same problem. Have the team figured the solution yet?


#5

Guys, we’re going to add a possibility to connect through “Cluster username and password” on May 29th (Tuesday).
The Cluster certificate (Legacy Authorization) will be optional, though.

Also, in about a month we’re going to add a possibility to authorize with the Service Account.

If you have any other suggestions how this could be improved, just drop us a line! :slight_smile: