Krkn RBAC
RBAC Authorization rules required to run Krkn scenarios.
RBAC rules
Following is the compilation of all the rbac config required to run run_kraken and each of the krkn test scenarios.
NOTE: Below configuration assumes the user executing the krkrkn as user1 and the user would be using the namespace testnamespace to test his application and run krn tests.
Allow the user to query prometheus metrics and get infrastructure,network level details.
| namespace/clusterRole | apigroups | resources | verb |
|---|
| openshift-monitoring | "" | “serviceaccounts/token” | “create” |
| clusterRole | “config.openshift.io” | “networks”,“infrastructures”,“clusterversions” | “get”,“list” |
Allow the use user1 to view resources in test1 namespace
kubectl create rolebinding view-role-binding --clusterrole=view --user=user1 --namespace=testnamespace
| namespace/clusterRole | apigroups | resources | verb |
|---|
| testnamespace | "" | “pods” | “delete” |
| namespace/clusterRole | apigroups | resources | verb |
|---|
| testnamespace | "" | “pods”,“pods/exec” | “get”,“create”,“delete” |
| namespace/clusterRole | apigroups | resources | verb |
|---|
| testnamespace | "" | “pods”,“pods/exec”,“services” | “get”,“create”,“delete” |
| testnamespace | “apps” | “daemonsets”,“statefulsets”,“replicasets”,“deployments” | “get”,“delete” |
| namespace/clusterRole | apigroups | resources | verb |
|---|
| testnamespace | “networking.k8s.io” | “networkpolicies” | “get”,“create”,“delete” |
| namespace/clusterRole | apigroups | resources | verb |
|---|
| testnamespace | "" | “pods”,“pods/exec” | “get”,“create”,“delete” |
| namespace/clusterRole | apigroups | resources | verb |
|---|
| testnamespace | "" | “pods”,“pods/exec” | “get”,“create”,“delete” |
NOTE: Grant the privileged SCC to the user running the pod, to execute all the below krkn testscenarios
oc adm policy add-scc-to-user privileged user1
| namespace/clusterRole | apigroups | resources | verb |
|---|
| testnamespace | "" | “pods”,“pods/exec” | “get”,“create”,“delete” |
| clusterRole | "" | “nodes”,“nodes/proxy” | “list”,“get” |
| namespace/clusterRole | apigroups | resources | verb |
|---|
| testnamespace | "" | “pods”,“pods/exec” | “get”,“create”,“delete” |
| testnamespace | “batch” | “jobs” | “get”,“delete”,“list”,“create” |
| clusterRole | "" | “nodes”,“nodes/proxy” | “list”,“get” |
| namespace/clusterRole | apigroups | resources | verb |
|---|
| testnamespace | "" | “pods”,“pods/exec” | “get”,“create”,“delete” |
| testnamespace | “batch” | “jobs” | “get”,“delete”,“list”,“create” |
| clusterRole | "" | “nodes”,“nodes/proxy” | “list”,“get” |
| clusterRole | “apiextensions.k8s.io” | “customresourcedefinitions” | “get”, “list”, “watch” |
| clusterRole | “config.openshift.io” | “networks” | “get” |
Compounded list of all rbac rules
| namespace/clusterRole | apigroups | resources | verb |
|---|
| testnamespace | "" | “pods”,“pods/exec”,“services” | “get”,“create”,“delete” |
| testnamespace | “batch” | “jobs” | “get”,“delete”,“list”,“create” |
| clusterRole | "" | “nodes”,“nodes/proxy” | “list”,“get” |
| clusterRole | “apiextensions.k8s.io” | “customresourcedefinitions” | “get”, “list”, “watch” |
| clusterRole | “config.openshift.io” | “networks”,“infrastructures”,“clusterversions” | “get”,“list” |
