RBAC roles and rolebindings for k8s actions

danrl · 2018-02-03 19:53:27 UTC

Hi everyone,

Has anyone figured out how Buddy communicates with a GKE cluster during setup and execution of the “Kubernetes Set Image” action? I am trying to create a RBAC profile but I can’t find out how Buddy talks to my cluster. Looked through all service accounts and was digging through log files for quite some time. Nothing.

My cluster has RBAC enabled (=Legacy authorization: Disabled)

With a cluster that still uses legacy authorization, it works fine. But obviously, legacy authorization is nothing one wants in production.

The cluster is recognized just fine (sparing you the details for privacy reasons)

But refreshing the namespaces does not work with RBAC enabled clusters:

I am fine with creating an RBAc file, although I am not keen on that boring task. But I currently I am stuck and can’t even find out how Buddy is authenticating at all. I hope this is not some crazy gcloud wrapping magic?!

Ideas anyone?

Cheers

Dan

danrl · 2018-02-04 11:01:01 UTC

Further research showed me that the authorization from Buddy towards my Google account is an account-wide, visible at https://myaccount.google.com/security#connectedapps

Now the question remains, what service account does this represent in the GKE clusters? What entity to grant the RBAC privileges too?

jirizavadil · 2018-03-17 22:32:48 UTC

Hi, I just got stuck on this too. Did you figure it out? Thanks

mixth · 2018-05-24 04:09:44 UTC

Facing exactly the same problem. Have the team figured the solution yet?

Octavia · 2018-05-25 08:20:00 UTC

Guys, we’re going to add a possibility to connect through “Cluster username and password” on May 29th (Tuesday).
The Cluster certificate (Legacy Authorization) will be optional, though.

Also, in about a month we’re going to add a possibility to authorize with the Service Account.

If you have any other suggestions how this could be improved, just drop us a line!