Can I deploy Lenses Processors in Kubernetes without ClusterRole / ClusterRoleBinding?
To deploy Lenses Processors in Kubernetes the suggested way is to activate RBAC in Cluster level through Helm values.yaml:
values.yaml
rbacEnable: true
If you want to limit the permissions Lenses has against your Kubernetes cluster, you can use Role/RoleBinging resources instead.
Role/RoleBinging
To achieve this you need to create a Role and a RoleBinding resource in the namespace you want the processors deployed to:
Role
RoleBinding
kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: [ROLE_NAME] namespace: [PROCESSORS_NAMESPACE] rules: - apiGroups: [""] resources: - namespaces - persistentvolumes - persistentvolumeclaims - pods/log verbs: - list - watch - get - create - apiGroups: ["", "extensions", "apps"] resources: - pods - replicasets - deployments - ingresses - secrets - statefulsets - services verbs: - list - watch - get - update - create - delete - patch - apiGroups: [""] resources: - events verbs: - list - watch - get
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: [ROLE_BINDING_NAME] namespace: [PROCESSOR_NAMESPACE] subjects: - kind: ServiceAccount namespace: [LENSES_NAMESPACE] name: [SERVICE_ACCOUNT_NAME] roleRef: kind: Role name: [ROLE_NAME] apiGroup: rbac.authorization.k8s.io
example for:
lenses-ns
lenses-proc-ns
kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: processor-role namespace: lenses-proc-ns rules: - apiGroups: [""] resources: - namespaces - persistentvolumes - persistentvolumeclaims - pods/log verbs: - list - watch - get - create - apiGroups: ["", "extensions", "apps"] resources: - pods - replicasets - deployments - ingresses - secrets - statefulsets - services verbs: - list - watch - get - update - create - delete - patch - apiGroups: [""] resources: - events verbs: - list - watch - get
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: processor-role-binding namespace: lenses-proc-ns subjects: - kind: ServiceAccount namespace: lenses-ns name: default roleRef: kind: Role name: processor-role apiGroup: rbac.authorization.k8s.io
You can repeat this for as many namespaces you may want Lenses to have access to.
Finally you need to define in Lenses configuration which namespaces can Lenses access. To achieve this amend values.yaml to contain the following:
lenses: append: conf: | lenses.kubernetes.namespaces = { incluster = [ "[PROCESSORS NAMESPACE]" ] }
example:
lenses: append: conf: | lenses.kubernetes.namespaces = { incluster = [ "lenses-processors" ] }
On this page
