RBAC roles and rolebindings for k8s actions

danrl 2018-02-03 19:53:27 UTC #1

Hi everyone,

Has anyone figured out how Buddy communicates with a GKE cluster during setup and execution of the “Kubernetes Set Image” action? I am trying to create a RBAC profile but I can’t find out how Buddy talks to my cluster. Looked through all service accounts and was digging through log files for quite some time. Nothing.

My cluster has RBAC enabled (=Legacy authorization: Disabled)

With a cluster that still uses legacy authorization, it works fine. But obviously, legacy authorization is nothing one wants in production.

The cluster is recognized just fine (sparing you the details for privacy reasons)

But refreshing the namespaces does not work with RBAC enabled clusters:

I am fine with creating an RBAc file, although I am not keen on that boring task. But I currently I am stuck and can’t even find out how Buddy is authenticating at all. I hope this is not some crazy gcloud wrapping magic?!

Ideas anyone?

Cheers

Dan

danrl 2018-02-04 11:01:01 UTC #2

Further research showed me that the authorization from Buddy towards my Google account is an account-wide, visible at https://myaccount.google.com/security#connectedapps

Now the question remains, what service account does this represent in the GKE clusters? What entity to grant the RBAC privileges too?

jirizavadil 2018-03-17 22:32:48 UTC #3

Hi, I just got stuck on this too. Did you figure it out? Thanks