The rbac-builder reads a configuration yaml, and convert it to Robusta's RBAC rules.
In it, you should specify the account_id, scopes and groups
Each execution, the rbac-builder will delete all the existing scopes and groups for the account,
and will create new ones, according to the provided configuration
This is a configuration example: (the file can be found under config/definitions.yaml
)
account_id: 6c2cbf41-c7b5-48ab-9777-76d320b985d4 # UUID
scopes:
- name: scope-1
type: namespace
clusters:
cl1: ["*"]
cl2: ["default", "kube-system"]
- name: scope-2
type: cluster
clusters:
cl3: ["*"]
cl4: ["*"]
groups:
- name: dev-us-xyz
provider_group_id: ea50b713-93c0-45d3-a87d-de253c06db0a # UUID
type: namespace
permissions: ["POD_LOGS", "METRICS_VIEW", "JOB_DELETE"]
scopes: ["scope-1"]
- name: dev-eu-ttt
provider_group_id: 233bd8f0-60a7-4cbc-b151-b109c3308b07 # UUID
type: cluster
permissions: ["CLUSTER_DELETE", "POPEYE_SCAN"]
scopes: ["scope-1", "scope-2"]
To run this, you'll need to provide environment variable, with DB accesss parameters
Use the same credentials as the plaform-relay service
STORE_API_KEY=eyJ...
STORE_PASSWORD=e...
STORE_URL=https://...
STORE_USER=apiuser-stgrobustarelay@robusta.dev
If you're using self-signed certificates, add it using the CERTIFICATE (the same way it's added to the platform-relay service)
Scopes
Each scope has a type field that must be cluster or namespace
cluster scope, means the scope is on the entire cluster (all namespaces)
Each cluster scope should be in the format of: cluster-name: ["*"]
namespace scope, means the scope can be on a set of namespaces, within a cluster
The format of namespaces scope is: cluster-name: ["ns1", "ns2"]
You can also define a namespace scope on all cluster namespaces: cluster-name: ["*"]
Groups
Each group has a type field that must be cluster or namespace
cluster groups, can only be applied on scopes with type "cluster"
namespace groups, can only be applied on all scopes
Every group has a set of permissions. These are the actual actions the user will be allowed to do.
There are default permissions, which are given by default to every group.
For namespace groups, the default permissions are: APP_VIEW, JOB_VIEW, TIMELINE_VIEW
For cluster groups, the default permissions are: APP_VIEW, JOB_VIEW, TIMELINE_VIEW, NODE_VIEW, CLUSTER_VIEW
namespace groups can be assigned to one of the following permissions (on top of the default permissions):
APP_RESTART, JOB_DELETE, POD_LOGS, POD_DELETE, KRR_VIEW, POPEYE_VIEW, METRICS_VIEW, HOLMES_INVESTIGATE
cluster groups can be assigned to one of the following permissions (on top of the default permissions):
APP_RESTART, JOB_DELETE, POD_LOGS, POD_DELETE, METRICS_VIEW, NODE_DRAIN, NODE_CORDON, NODE_UNCORDON, CLUSTER_DELETE, KRR_SCAN, KRR_VIEW, POPEYE_VIEW, POPEYE_SCAN, ALERT_CONFIG_EDIT, ALERT_CONFIG_VIEW, SILENCES_VIEW, SILENCES_EDIT, HOLMES_INVESTIGATE, HOLMES_CHAT, HOLMES_CUSTOMIZE
Use skaffold to build and push. The tag is derived from the input digest, so each build gets a unique tag.
On Apple M1/M2 (uses build_on_apple_m1.sh via the apple-m1-dev profile):
skaffold build -p apple-m1-devOn other platforms:
skaffold buildThe job runs inside the Robusta on-premise cluster in the default namespace (where Kong is), and reads credentials from the existing db-secret.
Edit config/rbac-builder-job.yaml to set ACCOUNT_NAME, then run:
./k8s/run-job.shThis script creates/updates the rbac-definitions ConfigMap from config/test-definitions.yaml, deletes any existing job, and applies the job. To follow logs:
kubectl logs -l job-name=rbac-builder -n default -fStep 1 — create a ConfigMap from your definitions file:
kubectl create configmap rbac-definitions \
--from-file=definitions.yaml=./config/definitions.yaml \
-n defaultStep 2 — set ACCOUNT_NAME in k8s/rbac-builder-job.yaml, then apply:
kubectl apply -f k8s/rbac-builder-job.yamlStep 3 — check logs:
kubectl logs -l job-name=rbac-builder -n default -fThe job cleans itself up 3 minutes after completion (ttlSecondsAfterFinished: 180). To rerun manually:
kubectl delete job rbac-builder -n default