Kubernetes Permissions for the Armory Agent
Early Access
The information below is written for an Early Access feature. Contact us if you are interested in using this feature! Your feedback will help shape the development of this feature.Do not use Early Access features for production environments.
Permissions
The Agent can use a kubeconfig file loaded as a Kubernetes secret when deploying to a remote cluster. Also, you can configure Agent permissions using a Kubernetes Service Account when deploying to the cluster the Agent resides in.
The Agent should have ClusterRole authorization if you need to deploy pods across your cluster or Role authorization if you deploy pods only to a single namespace.
- If Agent is running in Agent Mode, then the
ClusterRoleorRoleis the one attached to the Kubernetes Service Account mounted by the Agent pod. - If Agent is running in any of the other modes, then the
ClusterRoleorRoleis the one thekubeconfigFileuses to interact with the target cluster.kubeconfigFileis configured inkubesvc.ymlof the Agent pod.
Example configuration for deploying Pod manifests:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: agent-role
rules:
- apiGroups: ""
resources:
- pods
- pods/log
- pods/finalizers
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: agent-role
rules:
- apiGroups: ""
resources:
- pods
- pods/log
- pods/finalizers
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
See the Quickstart’s Configure permissions section for a complete example that uses ClusterRole, ClusterRoleBinding, and ServiceAccount.
See the Kubernetes Using RBAC Authorization guide for details on configuring ClusterRole and Role authorization.
Feedback
Was this page helpful?
Thank you for letting us know!
Sorry to hear that. Please tell us how we can improve.
Last modified July 14, 2021: (46d0913)