DevFW-CICD/ingress-nginx-helm
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ingress-nginx-helm/deploy/rbac/index.html
Travis Bot d680fbc4ae Deploy GitHub Pages
2019-05-26 08:06:36 +00:00

1406 lines
No EOL
35 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<meta name="lang:clipboard.copy" content="Copy to clipboard">
<meta name="lang:clipboard.copied" content="Copied to clipboard">
<meta name="lang:search.language" content="en">
<meta name="lang:search.pipeline.stopwords" content="True">
<meta name="lang:search.pipeline.trimmer" content="True">
<meta name="lang:search.result.none" content="No matching documents">
<meta name="lang:search.result.one" content="1 matching document">
<meta name="lang:search.result.other" content="# matching documents">
<meta name="lang:search.tokenizer" content="[\s\-]+">
<link rel="shortcut icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.0.2">
<title>Role Based Access Control (RBAC) - NGINX Ingress Controller</title>
<link rel="stylesheet" href="../../assets/stylesheets/application.982221ab.css">
<link rel="stylesheet" href="../../assets/stylesheets/application-palette.224b79ff.css">
<meta name="theme-color" content="#009688">
<script src="../../assets/javascripts/modernizr.1f0bcf2b.js"></script>
<link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700|Roboto+Mono">
<style>body,input{font-family:"Roboto","Helvetica Neue",Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono","Courier New",Courier,monospace}</style>
<link rel="stylesheet" href="../../assets/fonts/material-icons.css">
<link rel="stylesheet" href="../../extra.css">
<script>
window.ga = window.ga || function() {
(ga.q = ga.q || []).push(arguments)
}
ga.l = +new Date
/* Setup integration and send page view */
ga("create", "UA-118407822-1", "kubernetes.github.io")
ga("set", "anonymizeIp", true)
ga("send", "pageview")
/* Register handler to log search on blur */
document.addEventListener("DOMContentLoaded", () => {
if (document.forms.search) {
var query = document.forms.search.query
query.addEventListener("blur", function() {
if (this.value) {
var path = document.location.pathname;
ga("send", "pageview", path + "?q=" + this.value)
}
})
}
})
</script>
<script async src="https://www.google-analytics.com/analytics.js"></script>
</head>
<body dir="ltr" data-md-color-primary="teal" data-md-color-accent="green">
<svg class="md-svg">
<defs>
<svg xmlns="http://www.w3.org/2000/svg" width="416" height="448"
viewBox="0 0 416 448" id="__github">
<path fill="currentColor" d="M160 304q0 10-3.125 20.5t-10.75 19-18.125
8.5-18.125-8.5-10.75-19-3.125-20.5 3.125-20.5 10.75-19 18.125-8.5
18.125 8.5 10.75 19 3.125 20.5zM320 304q0 10-3.125 20.5t-10.75
19-18.125 8.5-18.125-8.5-10.75-19-3.125-20.5 3.125-20.5 10.75-19
18.125-8.5 18.125 8.5 10.75 19 3.125 20.5zM360
304q0-30-17.25-51t-46.75-21q-10.25 0-48.75 5.25-17.75 2.75-39.25
2.75t-39.25-2.75q-38-5.25-48.75-5.25-29.5 0-46.75 21t-17.25 51q0 22 8
38.375t20.25 25.75 30.5 15 35 7.375 37.25 1.75h42q20.5 0
37.25-1.75t35-7.375 30.5-15 20.25-25.75 8-38.375zM416 260q0 51.75-15.25
82.75-9.5 19.25-26.375 33.25t-35.25 21.5-42.5 11.875-42.875 5.5-41.75
1.125q-19.5 0-35.5-0.75t-36.875-3.125-38.125-7.5-34.25-12.875-30.25-20.25-21.5-28.75q-15.5-30.75-15.5-82.75
0-59.25 34-99-6.75-20.5-6.75-42.5 0-29 12.75-54.5 27 0 47.5 9.875t47.25
30.875q36.75-8.75 77.25-8.75 37 0 70 8 26.25-20.5
46.75-30.25t47.25-9.75q12.75 25.5 12.75 54.5 0 21.75-6.75 42 34 40 34
99.5z" />
</svg>
</defs>
</svg>
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" data-md-component="overlay" for="__drawer"></label>
<a href="#role-based-access-control-rbac" tabindex="1" class="md-skip">
Skip to content
</a>
<header class="md-header" data-md-component="header">
<nav class="md-header-nav md-grid">
<div class="md-flex">
<div class="md-flex__cell md-flex__cell--shrink">
<a href="../.." title="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<i class="md-icon">public</i>
</a>
</div>
<div class="md-flex__cell md-flex__cell--shrink">
<label class="md-icon md-icon--menu md-header-nav__button" for="__drawer"></label>
</div>
<div class="md-flex__cell md-flex__cell--stretch">
<div class="md-flex__ellipsis md-header-nav__title" data-md-component="title">
<span class="md-header-nav__topic">
NGINX Ingress Controller
</span>
<span class="md-header-nav__topic">
Role Based Access Control (RBAC)
</span>
</div>
</div>
<div class="md-flex__cell md-flex__cell--shrink">
<label class="md-icon md-icon--search md-header-nav__button" for="__search"></label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<label class="md-icon md-search__icon" for="__search"></label>
<button type="reset" class="md-icon md-search__icon" data-md-component="reset" tabindex="-1">
&#xE5CD;
</button>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="result">
<div class="md-search-result__meta">
Type to start searching
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="md-flex__cell md-flex__cell--shrink">
<div class="md-header-nav__source">
<a href="https://github.com/kubernetes/ingress-nginx/" title="Go to repository" class="md-source" data-md-source="github">
<div class="md-source__icon">
<svg viewBox="0 0 24 24" width="24" height="24">
<use xlink:href="#__github" width="24" height="24"></use>
</svg>
</div>
<div class="md-source__repository">
kubernetes/ingress-nginx
</div>
</a>
</div>
</div>
</div>
</nav>
</header>
<div class="md-container">
<nav class="md-tabs md-tabs--active" data-md-component="tabs">
<div class="md-tabs__inner md-grid">
<ul class="md-tabs__list">
<li class="md-tabs__item">
<a href="../.." title="Welcome" class="md-tabs__link">
Welcome
</a>
</li>
<li class="md-tabs__item">
<a href="../" title="Deployment" class="md-tabs__link md-tabs__link--active">
Deployment
</a>
</li>
<li class="md-tabs__item">
<a href="../../user-guide/nginx-configuration/" title="User guide" class="md-tabs__link">
User guide
</a>
</li>
<li class="md-tabs__item">
<a href="../../examples/" title="Examples" class="md-tabs__link">
Examples
</a>
</li>
</ul>
</div>
</nav>
<main class="md-main">
<div class="md-main__inner md-grid" data-md-component="container">
<div class="md-sidebar md-sidebar--primary" data-md-component="navigation">
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" data-md-level="0">
<label class="md-nav__title md-nav__title--site" for="__drawer">
<a href="../.." title="NGINX Ingress Controller" class="md-nav__button md-logo">
<i class="md-icon">public</i>
</a>
NGINX Ingress Controller
</label>
<div class="md-nav__source">
<a href="https://github.com/kubernetes/ingress-nginx/" title="Go to repository" class="md-source" data-md-source="github">
<div class="md-source__icon">
<svg viewBox="0 0 24 24" width="24" height="24">
<use xlink:href="#__github" width="24" height="24"></use>
</svg>
</div>
<div class="md-source__repository">
kubernetes/ingress-nginx
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-1" type="checkbox" id="nav-1">
<label class="md-nav__link" for="nav-1">
Welcome
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="1">
<label class="md-nav__title" for="nav-1">
Welcome
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../.." title="Welcome" class="md-nav__link">
Welcome
</a>
</li>
<li class="md-nav__item">
<a href="../../how-it-works/" title="How it works" class="md-nav__link">
How it works
</a>
</li>
<li class="md-nav__item">
<a href="../../troubleshooting/" title="Troubleshooting" class="md-nav__link">
Troubleshooting
</a>
</li>
<li class="md-nav__item">
<a href="../../kubectl-plugin/" title="kubectl plugin" class="md-nav__link">
kubectl plugin
</a>
</li>
<li class="md-nav__item">
<a href="../../development/" title="Development" class="md-nav__link">
Development
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-2" type="checkbox" id="nav-2" checked>
<label class="md-nav__link" for="nav-2">
Deployment
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="1">
<label class="md-nav__title" for="nav-2">
Deployment
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../" title="Installation Guide" class="md-nav__link">
Installation Guide
</a>
</li>
<li class="md-nav__item">
<a href="../baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-toggle md-nav__toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Role Based Access Control (RBAC)
</label>
<a href="./" title="Role Based Access Control (RBAC)" class="md-nav__link md-nav__link--active">
Role Based Access Control (RBAC)
</a>
<nav class="md-nav md-nav--secondary">
<label class="md-nav__title" for="__toc">Table of contents</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#overview" title="Overview" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="#service-accounts-created-in-this-example" title="Service Accounts created in this example" class="md-nav__link">
Service Accounts created in this example
</a>
</li>
<li class="md-nav__item">
<a href="#permissions-granted-in-this-example" title="Permissions Granted in this example" class="md-nav__link">
Permissions Granted in this example
</a>
<nav class="md-nav">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#cluster-permissions" title="Cluster Permissions" class="md-nav__link">
Cluster Permissions
</a>
</li>
<li class="md-nav__item">
<a href="#namespace-permissions" title="Namespace Permissions" class="md-nav__link">
Namespace Permissions
</a>
</li>
<li class="md-nav__item">
<a href="#bindings" title="Bindings" class="md-nav__link">
Bindings
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../validating-webhook/" title="Validating Webhook (admission controller)" class="md-nav__link">
Validating Webhook (admission controller)
</a>
</li>
<li class="md-nav__item">
<a href="../upgrade/" title="Upgrade" class="md-nav__link">
Upgrade
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-3" type="checkbox" id="nav-3">
<label class="md-nav__link" for="nav-3">
User guide
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="1">
<label class="md-nav__title" for="nav-3">
User guide
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-3-1" type="checkbox" id="nav-3-1">
<label class="md-nav__link" for="nav-3-1">
NGINX Configuration
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="2">
<label class="md-nav__title" for="nav-3-1">
NGINX Configuration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/" title="Introduction" class="md-nav__link">
Introduction
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/basic-usage/" title="Basic usage" class="md-nav__link">
Basic usage
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/annotations/" title="Annotations" class="md-nav__link">
Annotations
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/configmap/" title="ConfigMap" class="md-nav__link">
ConfigMap
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/custom-template/" title="Custom NGINX template" class="md-nav__link">
Custom NGINX template
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/log-format/" title="Log format" class="md-nav__link">
Log format
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../user-guide/cli-arguments/" title="Command line arguments" class="md-nav__link">
Command line arguments
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/custom-errors/" title="Custom errors" class="md-nav__link">
Custom errors
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/default-backend/" title="Default backend" class="md-nav__link">
Default backend
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/external-articles/" title="External Articles" class="md-nav__link">
External Articles
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/miscellaneous/" title="Miscellaneous" class="md-nav__link">
Miscellaneous
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/monitoring/" title="Prometheus and Grafana installation" class="md-nav__link">
Prometheus and Grafana installation
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/multiple-ingress/" title="Multiple Ingress controllers" class="md-nav__link">
Multiple Ingress controllers
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/tls/" title="TLS/HTTPS" class="md-nav__link">
TLS/HTTPS
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-3-12" type="checkbox" id="nav-3-12">
<label class="md-nav__link" for="nav-3-12">
Third party addons
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="2">
<label class="md-nav__title" for="nav-3-12">
Third party addons
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../user-guide/third-party-addons/modsecurity/" title="ModSecurity Web Application Firewall" class="md-nav__link">
ModSecurity Web Application Firewall
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/third-party-addons/opentracing/" title="OpenTracing" class="md-nav__link">
OpenTracing
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-4" type="checkbox" id="nav-4">
<label class="md-nav__link" for="nav-4">
Examples
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="1">
<label class="md-nav__title" for="nav-4">
Examples
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../examples/" title="Introduction" class="md-nav__link">
Introduction
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/PREREQUISITES/" title="Prerequisites" class="md-nav__link">
Prerequisites
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/affinity/cookie/" title="Sticky Sessions" class="md-nav__link">
Sticky Sessions
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-4-4" type="checkbox" id="nav-4-4">
<label class="md-nav__link" for="nav-4-4">
Auth
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="2">
<label class="md-nav__title" for="nav-4-4">
Auth
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../examples/auth/basic/" title="Basic Authentication" class="md-nav__link">
Basic Authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/auth/client-certs/" title="Client Certificate Authentication" class="md-nav__link">
Client Certificate Authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/auth/external-auth/" title="External Basic Authentication" class="md-nav__link">
External Basic Authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/auth/oauth-external-auth/" title="External OAUTH Authentication" class="md-nav__link">
External OAUTH Authentication
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-4-5" type="checkbox" id="nav-4-5">
<label class="md-nav__link" for="nav-4-5">
Customization
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="2">
<label class="md-nav__title" for="nav-4-5">
Customization
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../examples/customization/configuration-snippets/" title="Configuration Snippets" class="md-nav__link">
Configuration Snippets
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/custom-configuration/" title="Custom Configuration" class="md-nav__link">
Custom Configuration
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/custom-errors/" title="Custom Errors" class="md-nav__link">
Custom Errors
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/custom-headers/" title="Custom Headers" class="md-nav__link">
Custom Headers
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/ssl-dh-param/" title="Custom DH parameters for perfect forward secrecy" class="md-nav__link">
Custom DH parameters for perfect forward secrecy
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/sysctl/" title="Sysctl tuning" class="md-nav__link">
Sysctl tuning
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../examples/docker-registry/" title="Docker registry" class="md-nav__link">
Docker registry
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/grpc/" title="gRPC" class="md-nav__link">
gRPC
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/multi-tls/" title="Multi TLS certificate termination" class="md-nav__link">
Multi TLS certificate termination
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/rewrite/" title="Rewrite" class="md-nav__link">
Rewrite
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/static-ip/" title="Static IPs" class="md-nav__link">
Static IPs
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/tls-termination/" title="TLS termination" class="md-nav__link">
TLS termination
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="toc">
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary">
<label class="md-nav__title" for="__toc">Table of contents</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#overview" title="Overview" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="#service-accounts-created-in-this-example" title="Service Accounts created in this example" class="md-nav__link">
Service Accounts created in this example
</a>
</li>
<li class="md-nav__item">
<a href="#permissions-granted-in-this-example" title="Permissions Granted in this example" class="md-nav__link">
Permissions Granted in this example
</a>
<nav class="md-nav">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#cluster-permissions" title="Cluster Permissions" class="md-nav__link">
Cluster Permissions
</a>
</li>
<li class="md-nav__item">
<a href="#namespace-permissions" title="Namespace Permissions" class="md-nav__link">
Namespace Permissions
</a>
</li>
<li class="md-nav__item">
<a href="#bindings" title="Bindings" class="md-nav__link">
Bindings
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/kubernetes/ingress-nginx/edit/master/docs/deploy/rbac.md" title="Edit this page" class="md-icon md-content__icon">&#xE3C9;</a>
<h1 id="role-based-access-control-rbac">Role Based Access Control (RBAC)<a class="headerlink" href="#role-based-access-control-rbac" title="Permanent link">&para;</a></h1>
<h2 id="overview">Overview<a class="headerlink" href="#overview" title="Permanent link">&para;</a></h2>
<p>This example applies to nginx-ingress-controllers being deployed in an environment with RBAC enabled.</p>
<p>Role Based Access Control is comprised of four layers:</p>
<ol>
<li><code class="codehilite">ClusterRole</code> - permissions assigned to a role that apply to an entire cluster</li>
<li><code class="codehilite">ClusterRoleBinding</code> - binding a ClusterRole to a specific account</li>
<li><code class="codehilite">Role</code> - permissions assigned to a role that apply to a specific namespace</li>
<li><code class="codehilite">RoleBinding</code> - binding a Role to a specific account</li>
</ol>
<p>In order for RBAC to be applied to an nginx-ingress-controller, that controller
should be assigned to a <code class="codehilite">ServiceAccount</code>. That <code class="codehilite">ServiceAccount</code> should be
bound to the <code class="codehilite">Role</code>s and <code class="codehilite">ClusterRole</code>s defined for the nginx-ingress-controller.</p>
<h2 id="service-accounts-created-in-this-example">Service Accounts created in this example<a class="headerlink" href="#service-accounts-created-in-this-example" title="Permanent link">&para;</a></h2>
<p>One ServiceAccount is created in this example, <code class="codehilite">nginx-ingress-serviceaccount</code>.</p>
<h2 id="permissions-granted-in-this-example">Permissions Granted in this example<a class="headerlink" href="#permissions-granted-in-this-example" title="Permanent link">&para;</a></h2>
<p>There are two sets of permissions defined in this example. Cluster-wide
permissions defined by the <code class="codehilite">ClusterRole</code> named <code class="codehilite">nginx-ingress-clusterrole</code>, and
namespace specific permissions defined by the <code class="codehilite">Role</code> named <code class="codehilite">nginx-ingress-role</code>.</p>
<h3 id="cluster-permissions">Cluster Permissions<a class="headerlink" href="#cluster-permissions" title="Permanent link">&para;</a></h3>
<p>These permissions are granted in order for the nginx-ingress-controller to be
able to function as an ingress across the cluster. These permissions are
granted to the ClusterRole named <code class="codehilite">nginx-ingress-clusterrole</code></p>
<ul>
<li><code class="codehilite">configmaps</code>, <code class="codehilite">endpoints</code>, <code class="codehilite">nodes</code>, <code class="codehilite">pods</code>, <code class="codehilite">secrets</code>: list, watch</li>
<li><code class="codehilite">nodes</code>: get</li>
<li><code class="codehilite">services</code>, <code class="codehilite">ingresses</code>: get, list, watch</li>
<li><code class="codehilite">events</code>: create, patch</li>
<li><code class="codehilite">ingresses/status</code>: update</li>
</ul>
<h3 id="namespace-permissions">Namespace Permissions<a class="headerlink" href="#namespace-permissions" title="Permanent link">&para;</a></h3>
<p>These permissions are granted specific to the nginx-ingress namespace. These
permissions are granted to the Role named <code class="codehilite">nginx-ingress-role</code></p>
<ul>
<li><code class="codehilite">configmaps</code>, <code class="codehilite">pods</code>, <code class="codehilite">secrets</code>: get</li>
<li><code class="codehilite">endpoints</code>: get</li>
</ul>
<p>Furthermore to support leader-election, the nginx-ingress-controller needs to
have access to a <code class="codehilite">configmap</code> using the resourceName <code class="codehilite">ingress-controller-leader-nginx</code></p>
<blockquote>
<p>Note that resourceNames can NOT be used to limit requests using the “create”
verb because authorizers only have access to information that can be obtained
from the request URL, method, and headers (resource names in a “create” request
are part of the request body).</p>
</blockquote>
<ul>
<li><code class="codehilite">configmaps</code>: get, update (for resourceName <code class="codehilite">ingress-controller-leader-nginx</code>)</li>
<li><code class="codehilite">configmaps</code>: create</li>
</ul>
<p>This resourceName is the concatenation of the <code class="codehilite">election-id</code> and the
<code class="codehilite">ingress-class</code> as defined by the ingress-controller, which defaults to:</p>
<ul>
<li><code class="codehilite">election-id</code>: <code class="codehilite">ingress-controller-leader</code></li>
<li><code class="codehilite">ingress-class</code>: <code class="codehilite">nginx</code></li>
<li><code class="codehilite">resourceName</code> : <code class="codehilite">&lt;election-id&gt;-&lt;ingress-class&gt;</code></li>
</ul>
<p>Please adapt accordingly if you overwrite either parameter when launching the
nginx-ingress-controller.</p>
<h3 id="bindings">Bindings<a class="headerlink" href="#bindings" title="Permanent link">&para;</a></h3>
<p>The ServiceAccount <code class="codehilite">nginx-ingress-serviceaccount</code> is bound to the Role
<code class="codehilite">nginx-ingress-role</code> and the ClusterRole <code class="codehilite">nginx-ingress-clusterrole</code>.</p>
<p>The serviceAccountName associated with the containers in the deployment must
match the serviceAccount. The namespace references in the Deployment metadata,
container arguments, and POD_NAMESPACE should be in the nginx-ingress namespace.</p>
</article>
</div>
</div>
</main>
<footer class="md-footer">
<div class="md-footer-nav">
<nav class="md-footer-nav__inner md-grid">
<a href="../baremetal/" title="Bare-metal considerations" class="md-flex md-footer-nav__link md-footer-nav__link--prev" rel="prev">
<div class="md-flex__cell md-flex__cell--shrink">
<i class="md-icon md-icon--arrow-back md-footer-nav__button"></i>
</div>
<div class="md-flex__cell md-flex__cell--stretch md-footer-nav__title">
<span class="md-flex__ellipsis">
<span class="md-footer-nav__direction">
Previous
</span>
Bare-metal considerations
</span>
</div>
</a>
<a href="../validating-webhook/" title="Validating Webhook (admission controller)" class="md-flex md-footer-nav__link md-footer-nav__link--next" rel="next">
<div class="md-flex__cell md-flex__cell--stretch md-footer-nav__title">
<span class="md-flex__ellipsis">
<span class="md-footer-nav__direction">
Next
</span>
Validating Webhook (admission controller)
</span>
</div>
<div class="md-flex__cell md-flex__cell--shrink">
<i class="md-icon md-icon--arrow-forward md-footer-nav__button"></i>
</div>
</a>
</nav>
</div>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-footer-copyright">
powered by
<a href="https://www.mkdocs.org">MkDocs</a>
and
<a href="https://squidfunk.github.io/mkdocs-material/">
Material for MkDocs</a>
</div>
</div>
</div>
</footer>
</div>
<script src="../../assets/javascripts/application.d9aa80ab.js"></script>
<script>app.initialize({version:"1.0.4",url:{base:"../.."}})</script>
</body>
</html>
Reference in a new issue View git blame Copy permalink