github.com/pachyderm/pachyderm@v1.13.4/doc/docs/1.11.x/deploy-manage/deploy/rbac.md (about) 1 # RBAC 2 3 Pachyderm has support for Kubernetes Role-Based Access 4 Controls (RBAC), which is a default part of all 5 Pachyderm deployments. In most use cases, Pachyderm 6 sets all the RBAC permissions automatically. However, 7 if you are deploying Pachyderm on a cluster that your 8 company owns, security policies might not allow certain 9 RBAC permissions by default. Therefore, you need to 10 contact your Kubernetes administrator and provide the 11 following list of required permissions: 12 13 ``` 14 Rules: []rbacv1.PolicyRule{{ 15 APIGroups: []string{""}, 16 Verbs: []string{"get", "list", "watch"}, 17 Resources: []string{"nodes", "pods", "pods/log", "endpoints"}, 18 }, { 19 APIGroups: []string{""}, 20 Verbs: []string{"get", "list", "watch", "create", "update", "delete"}, 21 Resources: []string{"replicationcontrollers", "services"}, 22 }, { 23 APIGroups: []string{""}, 24 Verbs: []string{"get", "list", "watch", "create", "update", "delete"}, 25 Resources: []string{"secrets"}, 26 ResourceNames: []string{client.StorageSecretName}, 27 }}, 28 ``` 29 30 The following table explains how Pachyderm uses those permissions: 31 32 | Permission | Description | 33 | ---------------- | ------------- | 34 | Access to nodes | Required for the `coefficient` option in the `parallelism` parameter of the pipeline spec. `coefficient` determines the number of worker nodes to run for your pipeline. If this permission cannot be granted, `constant` can be used instead. | 35 | Access to pods, replica controllers, and services | Pachyderm uses this permission to monitor the created pipelines. The permissions related to `replicationcontrollers` and `services` are used in the setup and deletion of pipelines. Each pipeline has its own RC and service in addition to the pods. 36 | Access to secrets | Required to give various kinds of credentials to pipelines, including storage credentials to access S3 or other object storage backends, Docker credentials to pull from a private registry, and others. | 37 38 ## RBAC and DNS 39 40 In older Kubernetes versions, `kube-dns` did not work properly with RBAC. 41 To check if your cluster is affected by this issue, run: 42 43 ```shell 44 kubectl get all --namespace=kube-system 45 ``` 46 47 **System response:** 48 49 ```shell 50 NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE 51 deploy/kube-dns 1 1 1 0 3m 52 53 NAME DESIRED CURRENT READY AGE 54 rs/kube-dns-86f6f55dd5 1 1 0 3m 55 56 NAME READY STATUS RESTARTS AGE 57 po/kube-addon-manager-oryx 1/1 Running 0 3m 58 po/kube-dns-86f6f55dd5-xksnb 2/3 Running 4 3m 59 po/kubernetes-dashboard-bzjjh 1/1 Running 0 3m 60 po/storage-provisioner 1/1 Running 0 3m 61 62 NAME DESIRED CURRENT READY AGE 63 rc/kubernetes-dashboard 1 1 1 3m 64 65 NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE 66 svc/kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 3m 67 svc/kubernetes-dashboard NodePort 10.97.194.16 <none> 80:30000/TCP 3m 68 ``` 69 70 In the output above, `po/kubernetes-dashboard-bzjjh` has only 71 two out of three pods ready and has restarted four times. 72 To fix this issue, run: 73 74 ```shell 75 kubectl -n kube-system create sa kube-dns 76 kubectl -n kube-system patch deploy/kube-dns -p '{"spec": {"template": {"spec": {"serviceAccountName": "kube-dns"}}}}' 77 ``` 78 79 These commands enforce `kube-dns` to use the appropriate 80 `ServiceAccount`. Kubernetes has created the `ServiceAccount`, but 81 does not use it until you run the above commands. 82 83 ## Resolving RBAC Permissions on GKE 84 85 When you deploy Pachyderm on GKE, you might see the following error: 86 87 ```shell 88 Error from server (Forbidden): error when creating "STDIN": clusterroles.rbac.authorization.k8s.io "pachyderm" is forbidden: attempt to grant extra privileges: 89 ``` 90 91 To fix this issue, run the following command and redeploy 92 Pachyderm: 93 94 ```shell 95 kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value account) 96 ``` 97