Contents x
      How To Grant RealTheory RBAC Permissions to Custom Resources and Custom Resource Definitions
      • 24 Sep 2024
      • 1 Minute to read
      • Contributors
      • Print
      • Dark
        Light
      Contents

      How To Grant RealTheory RBAC Permissions to Custom Resources and Custom Resource Definitions

      • Updated on 24 Sep 2024
      • 1 Minute to read
      • Contributors
      • Print
      • Dark
        Light
      Article summary

      Background

      RealTheory runs as a service account in your Kubernetes cluster. By default, RealTheory does not have sufficient RBAC permissions to enumerate Custom Resources (CRs) derived from Custom Resource Definitions (CRDs). Before RealTheory can aggregate and rollup costs, alerts, and other interesting data from CRs you must augment the RBAC permissions within the RealTheory Collector deployment manifest for each cluster that contains CRDs and CRs.

      Solution

      To augment the RBAC permissions within the RealTheory Collector deployment manifest for each cluster that contains CRDs and CRs, you must add a ClusterRole to the ClusterRole section of the RealTheory deployment manifest.

      Procedure

      1. Locate the ClusterRole section of the RealTheory deployment manifest for the cluster that contains CRDs and CRs:

        # The cluster role grants read only access to key API groups.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: object-reader
rules:
- apiGroups: [""]
  resources: ["*"]
  verbs: [get, watch, list]
- apiGroups: [apps]
  resources: ["*"]
  verbs: [get, watch, list]
- apiGroups: [metrics.k8s.io]
  resources: ["*"]
  verbs: [get, watch, list]
- apiGroups: [storage.k8s.io]
  resources: ["*"]
  verbs: [get, watch, list]
- apiGroups: [apiextensions.k8s.io]
  resources: ["*"]
  verbs: [get, watch, list]

      2. Add the following to the ClusterRole section:

        - apiGroups: ["my.custom.group"]
  resources: ["*"]
  verbs: [get, watch, list]

        Where my.custom.group is the API group that contains the resources you want RealTheory to be able to access.

      3. Run kubectl apply -f <filename.yaml> on the cluster you want to manage.

        Where filename.yaml is the name of the RealTheory Collector deployment manifest file.

      Example

      To give RealTheory the appropriate RBAC permissions to aggregate data from Agones CRDs and CRs, you might update the ClusterRole section of the RealTheory deployment manifest as follows:

      # The cluster role grants read only access to key API groups.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: object-reader
rules:
- apiGroups: [""]
  resources: ["*"]
  verbs: [get, watch, list]
- apiGroups: [apps]
  resources: ["*"]
  verbs: [get, watch, list]
- apiGroups: [metrics.k8s.io]
  resources: ["*"]
  verbs: [get, watch, list]
- apiGroups: [storage.k8s.io]
  resources: ["*"]
  verbs: [get, watch, list]
- apiGroups: [apiextensions.k8s.io]
  resources: ["*"]
  verbs: [get, watch, list]
- apiGroups: ["agones.dev"]
  resources: ["*"]
  verbs: [get, watch, list]
      Was this article helpful?
      What's Next
      RealTheory logo
      • The Kubernetes Intelligence Platform
      Support
      Follow Us
      Copyright © RealTheory, Inc. All Rights Reserved