github.com/pachyderm/pachyderm@v1.13.4/doc/docs/1.9.x/deploy-manage/deploy/rbac.md

github.com/pachyderm/pachyderm@v1.13.4/doc/docs/1.9.x/deploy-manage/deploy/rbac.md (about)

     1  # RBAC
     2  
     3  Pachyderm has support for Kubernetes Role-Based Access Controls (RBAC) and is a default part of all Pachyderm deployments. For most users, you shouldn't have any issues as Pachyderm takes care of setting all the RBAC permissions automatically. However, if you are deploying Pachyderm on a cluster that your company owns, security policies might not allow certain RBAC permissions by default. Therefore, it's suggested that you contact your Kubernetes admin and provide the following to ensure you don't encounter any permissions issues:
     4  
     5  Pachyderm Permission Requirements
     6  ```
     7  Rules: []rbacv1.PolicyRule{{
     8  	APIGroups: []string{""},
     9  	Verbs:     []string{"get", "list", "watch"},
    10  	Resources: []string{"nodes", "pods", "pods/log", "endpoints"},
    11  }, {
    12  	APIGroups: []string{""},
    13  	Verbs:     []string{"get", "list", "watch", "create", "update", "delete"},
    14  	Resources: []string{"replicationcontrollers", "services"},
    15  }, {
    16  	APIGroups:     []string{""},
    17  	Verbs:         []string{"get", "list", "watch", "create", "update", "delete"},
    18  	Resources:     []string{"secrets"},
    19  	ResourceNames: []string{client.StorageSecretName},
    20  }},
    21  ```
    22  
    23  ## RBAC and DNS
    24  Kubernetes currently (as of 1.8.0) has a bug that prevents kube-dns from
    25  working with RBAC. Not having DNS will make Pachyderm effectively unusable. You
    26  can tell if you're being affected by the bug like so:
    27  
    28  ```shell
    29  $ kubectl get all --namespace=kube-system
    30  NAME              DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
    31  deploy/kube-dns   1         1         1            0           3m
    32  
    33  NAME                     DESIRED   CURRENT   READY     AGE
    34  rs/kube-dns-86f6f55dd5   1         1         0         3m
    35  
    36  NAME                            READY     STATUS    RESTARTS   AGE
    37  po/kube-addon-manager-oryx      1/1       Running   0          3m
    38  po/kube-dns-86f6f55dd5-xksnb    2/3       Running   4          3m
    39  po/kubernetes-dashboard-bzjjh   1/1       Running   0          3m
    40  po/storage-provisioner          1/1       Running   0          3m
    41  
    42  NAME                      DESIRED   CURRENT   READY     AGE
    43  rc/kubernetes-dashboard   1         1         1         3m
    44  
    45  NAME                       TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)         AGE
    46  svc/kube-dns               ClusterIP   10.96.0.10     <none>        53/UDP,53/TCP   3m
    47  svc/kubernetes-dashboard   NodePort    10.97.194.16   <none>        80:30000/TCP    3m
    48  ```
    49  
    50  Notice how `po/kubernetes-dashboard-bzjjh` only has 2/3 pods ready and has 4 restarts.
    51  To fix this do:
    52  
    53  ```shell
    54  kubectl -n kube-system create sa kube-dns
    55  kubectl -n kube-system patch deploy/kube-dns -p '{"spec": {"template": {"spec": {"serviceAccountName": "kube-dns"}}}}'
    56  ```
    57  
    58  this will tell Kubernetes that `kube-dns` should use the appropriate
    59  ServiceAccount. Kubernetes creates the ServiceAccount, it just doesn't actually
    60  use it.
    61  
    62  ## RBAC Permissions on GKE
    63  If you're deploying Pachyderm on GKE and run into the following error:
    64  
    65  ```
    66  Error from server (Forbidden): error when creating "STDIN": clusterroles.rbac.authorization.k8s.io "pachyderm" is forbidden: attempt to grant extra privileges:
    67  ```
    68  
    69  Run the following and redeploy Pachyderm:
    70  
    71  ```
    72  kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value account)
    73  
    74  ```
    75