I have an application that has two parts: one deployer and the application runtime environment. The deployer needs to have access to different namespaces to be able to launch, edit and delete the application deployments, svc, configmaps, etc.
I first launch the deployer via a helm chart and then the deployer exposes some APIs to manage the application (launch, edit, delete).
My question is how to write the ClusterRole for my deployer that can only have access to a set of pre-created namespaces without giving it full cluster access (deployer should not be able to create, edit or delete namespaces). OR I have to create one Role for each of those namespaces and add them to the Helm chart of the deployer before installing it?
You can create a ClusterRole that will describe what the role can do. Then create a RoleBinding in each namespace you want the role user to have the priviliges. Here is a nice example from the documentation:
A RoleBinding can also reference a ClusterRole to grant the permissions defined in that ClusterRole to resources inside the RoleBinding's namespace. This kind of reference lets you define a set of common roles across your cluster, then reuse them within multiple namespaces.
For instance, even though the following RoleBinding refers to a ClusterRole, "dave" (the subject, case sensitive) will only be able to read Secrets in the "development" namespace, because the RoleBinding's namespace (in its metadata) is "development".
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "dave" to read secrets in the "development" namespace.
# You need to already have a ClusterRole named "secret-reader".
kind: RoleBinding
metadata:
name: read-secrets
#
# The namespace of the RoleBinding determines where the permissions are granted.
# This only grants permissions within the "development" namespace.
namespace: development
subjects:
- kind: User
name: dave # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io