Kubernetes is a powerful tool; ensure you use it securely by following our recommendations.
Define the minimum set of privileges for Workflows by granting only those privileges and permissions to the workflow used to manage Kubernetes resources only the minimum permissions needed.
For more information on Workflows permissions, see Set up Kubernetes Connector.
Change ownership of a workflow from an individual user to a group if you want more people to access the workflow. You can change the ownership of a workflow using Ownership. By changing the ownership of a workflow to a group, all group members can access the workflow, depending on their permissions.
A newly created workflow is always private. Only the person who made it can access it.
For more information on the owner concept of a workflow, see User permissions for workflows.
Deploy different EdgeConnects for different use cases.
Imagine that different teams are responsible for managing different parts of Kubernetes. If you create a dedicated EdgeConnect for each team, you can use Kubernetes Role-based access control to grant each team the minimum permissions required to achieve their use case.
Ensure the Role
/ClusterRole
permissions are sufficient for your workflow tasks. Whether you create a Role
or ClusterRole
depends on which resources you're trying to access.
For instance, you would create a Role
if you need to manage resources within a specific namespace.
However, if you need to manage resources across the entire cluster, you would make a ClusterRole
.
If resources inside the namespace my-service
should be accessed by the Kubernetes Automation
workflow actions, a RoleBinding
for the created role must exist in the namespace my-service
.
Meanwhile, the ServiceAccount
and EdgeConnect
deployments can be placed in a different namespace, such as dynatrace
.
To grant the permissions defined in the Role
/ClusterRole
to the ServiceAccount
, you need to specify a RoleBinding
/ClusterRoleBinding
.
Here are two examples of how you can use Role
/ClusterRole
definitions together with RoleBinding
/ClusterRoleBinding
.
Role
and RoleBinding
ClusterRole
and ClusterRoleBinding
Role
and RoleBinding
To create a role that allows pods to be managed in the myservice
namespace, use the following configuration:
# This is a role definition for this specific example. Adjust it to your needs.apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:namespace: myservicename: pod-managerrules:- apiGroups: [""]resources: ["pods"]verbs: ["get", "list", "watch", "create", "delete"]
To bind this role to a user, use the following configuration:
# This is a role-binding definition for this specific example. Adjust it to your needs.apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: bind-pod-managernamespace: myservicesubjects:- kind: Username: your-usernameapiGroup: ""roleRef:kind: Rolename: pod-managerapiGroup: ""
With this configuration, the role is limited to this specific namespace, and the pods can't be accessed in other namespaces or cluster-wide resources such as nodes.
ClusterRole
and ClusterRoleBinding
Use the ClusterRole
carefully, and only if it is required.
To create a cluster role that allows viewing a cluster-wide resource, nodes in this example, across the entire cluster, use the following configuration:
# This is a cluster-role definition for this specific example. Adjust it to your needs.apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: node-viewerrules:- apiGroups: [""]resources: ["nodes"]verbs: ["get", "list", "watch"]
To bind this cluster role to a user, use the following configuration:
# This is a cluster-role binding definition for this specific example. Adjust it to your needs.apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: bind-node-viewersubjects:- kind: Username: your-usernameapiGroup: ""roleRef:kind: ClusterRolename: node-viewerapiGroup: ""