Skip to main content
Version: 1.0.0

Kubernetes Fine-Grained Access Guide for Zeet

Overview

Zeet provides a flexible and powerful way to manage Kubernetes (K8s) connection, ensuring efficient and secure deployment for your Kubernetes clusters. This guide details the fine-grained access control mechanism available in Zeet using our open source Kubernetes configuration repository

https://github.com/zeet-dev/zeet-cloud-kubernetes

Structure of the Configuration

The 01-role-fine-grained.yaml file in the repository defines a ClusterRole and a ClusterRoleBinding that offer comprehensive and customizable access controls. This structure allows for specifying permissions at a detailed level for different resource types and API groups in Kubernetes.

1. Understanding the ClusterRole zeet-fine-grained

This role is designed to provide granular control over a wide range of Kubernetes resources, divided into several categories based on the level of access and the API groups they belong to.

1.1. Read Permissions

  • Verbs: get, list, watch
  • API Groups: * (all)
  • Resources: * (all)
  • Grants read-only access to the cluster for the Dashboard functionality.

1.2. Write Permissions on Core API Group

  • Verbs: create, update, patch, delete, deletecollection
  • API Groups: "" (core)
  • Resources: Specific core resources like configmaps, namespaces, pods, etc.
  • Provides write access to essential core Kubernetes resources for application deployment and management.

1.3. Write Permissions on Core-Extension API Groups

  • Verbs: Same as above.
  • API Groups: Groups like apps, batch, policy, etc.
  • Resources: * (all)
  • Enables management of resources in core-extension API groups, often used for advanced deployment configuration and cluster maintenance.

1.4. Write Permissions on Custom API Groups

  • Verbs: Same as above.
  • API Groups: Custom groups like acme.cert-manager.io, keda.sh, etc.
  • Resources: * (all)
  • Allows control over resources defined by custom API groups, these are used for zeet's kubernetes integration as documented in our Platform Engineering Guide

1.5. Write Permissions on AWS API Groups

  • Verbs: Same as above.
  • API Groups: AWS-related groups like crd.k8s.amazonaws.com.
  • Resources: * (all)
  • Allows management of AWS-specific Kubernetes resources.

2. Customizing the Fine-Grained Role

Zeet allows users to customize the ClusterRole according to their specific needs. This section is especially useful for users who require precise control over the permissions granted within their Kubernetes clusters.

2.1. Customization Approach

  • Editing the Role: Users can modify the 01-role-fine-grained.yaml file to enable or disable specific permissions.
  • Resource Specificity: Fine-tune access by specifying individual resources within an API group instead of using the wildcard *.

3. Applying and Binding the Role

After customizing the role:

  1. Apply the Role:

    kubectl apply -f roles/01-role-fine-grained.yaml

  2. Bind the Role to Service Accounts: The ClusterRoleBinding in the file associates the role with a service account (zeet-admin in the zeet namespace). Adjust as necessary for your environment.

4. Connect Cluster to Zeet

After applying the role, you can connect your cluster to Zeet following the cluster connection guide