GuidesAPI Reference
Log In

Restricting Agent Access

Suggest Edits

By default, the Prodvana Agent is installed with the cluster-admin permission, ensuring it can manage any resources on the cluster. This is the recommended security model. If you need Prodvana not to have access to certain resources, it is better to isolate those resources at a cluster and/or VPC level.

📘

Advanced Configurations

This documentation is for an advanced use case and not recommended for most users not already familiar with the Kubernetes RBAC model.

It is possible to restrict Prodvana Agent access within a cluster. However, if permissions are not configured correctly, some parts of Prodvana may not work, and Prodvana will not be able to manage certain resources in certain namespaces.

Restricting Access

  1. Link the Runtime as you would before. Skip this step if you already have the Runtime linked.
  2. Delete the clusterrolebinding prodvana-access.
kubectl delete clusterrolebinding prodvana-access
  1. Create new roles/cluster roles and bindings for the Agent.

Minimum Permissions Needed

The following permissions are needed as a clusterrole.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: prodvana-agent
rules:
  # allow prodvana to perform health checks
  - nonResourceURLs: ['/healthz', '/healthz/*', '/livez/ping']
    verbs: ['get']
  - apiGroups: ['']
    resources: ['namespaces']
    verbs: ['get', 'list', 'watch']

Additionally, the following permissions are needed for any namespace that Prodvana manages. This can be specified as either a clusterrole or a role.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: prodvana-agent
rules:
  - apiGroups: ['']
    resources: ['pods', 'pods/log']
    verbs: ['get', 'list', 'watch']
  - apiGroups: ['apps']
    resources: ['replicasets']
    verbs: ['get', 'list', 'watch']

Lastly, you must give the Agent admin access to the prodvana namespace, where it lives.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: prodvana-agent-namespace-access
  namespace: prodvana
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: prodvana
    namespace: prodvana

Examples

Restricting Access to Certain Namespaces

To restrict access to certain namespaces, create a clusterrole with the minimum permissions documented above and a role for each namespace Prodvana should be able to manage. You are responsible for creating the namespace and the role inside that namespace. See our documentation for how to configure your Release Channel to deploy to a specific namespace.

# minimum global permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: prodvana-agent
rules:
  - nonResourceURLs: ['/healthz', '/healthz/*', '/livez/ping']
    verbs: ['get']
  - apiGroups: ['']
    resources: ['namespaces']
    verbs: ['get', 'list', 'watch']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: prodvana-agent-access
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: prodvana-agent
subjects:
  - kind: ServiceAccount
    name: prodvana
    namespace: prodvana
---
# give admin on the prodvana namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: prodvana-agent-namespace-access
  namespace: prodvana
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: prodvana
    namespace: prodvana
---
# give admin within specific namespaces
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: prodvana-agent-namespace-access
  namespace: my-namespace  # replace accordingly
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: prodvana
    namespace: prodvana
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: prodvana-agent-namespace-access
  namespace: my-other-namespace  # replace accordingly
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: prodvana
    namespace: prodvana

Restricting Global Access to Certain Resources

To restrict access to certain resources globally, create a clusterrole. This can be useful, e.g., to allow Prodvana to manage deployments but not allow access to secret objects.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: prodvana-agent
rules:
  # minimum permissions required
  - nonResourceURLs: ['/healthz', '/healthz/*', '/livez/ping']
    verbs: ['get']
  - apiGroups: ['']
    resources: ['namespaces']
    verbs: ['get', 'list', 'watch']
  - apiGroups: ['']
    resources: ['pods', 'pods/log']
    verbs: ['get', 'list', 'watch']
  - apiGroups: ['apps']
    resources: ['replicasets']
    verbs: ['get', 'list', 'watch']
  # custom permissions
  - apiGroups: ['']
    resources: ['services', 'configmap']
    verbs: ['*']
  - apiGroups: ['apps']
    resources: ['deployments']
    verbs: ['*']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: prodvana-agent-access
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: prodvana-agent
subjects:
  - kind: ServiceAccount
    name: prodvana
    namespace: prodvana
---
# give admin on the prodvana namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: prodvana-agent-namespace-access
  namespace: prodvana
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: prodvana
    namespace: prodvana

Updated about 2 months ago