Skip to content

Commit 0bee184

Browse files
matheuscscpmatheuscscp
committed
Improve ServiceAccount impersonation docs
Signed-off-by: Matheus Pimenta <[email protected]>
1 parent ed13203 commit 0bee184

File tree

1 file changed

+35
-9
lines changed

1 file changed

+35
-9
lines changed

docs/spec/v1/kustomizations.md

Lines changed: 35 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -867,15 +867,41 @@ section.
867867

868868
When both `.spec.kubeConfig` and
869869
[`.spec.serviceAccountName`](#service-account-reference) are specified,
870-
the controller will impersonate the ServiceAccount on the target cluster,
871-
i.e. a ServiceAccount with name `.spec.serviceAccountName` must exist in
872-
the target cluster inside a namespace with the same name as the namespace
873-
of the Kustomization. For example, if the Kustomization is in the namespace
874-
`apps` of the cluster where Flux is running, then the ServiceAccount
875-
must be in the `apps` namespace of the target remote cluster, and have the
876-
name `.spec.serviceAccountName`. In other words, the namespace of the
877-
Kustomization must exist both in the cluster where Flux is running
878-
and in the target remote cluster where Flux will apply resources.
870+
the controller will impersonate the ServiceAccount in the target cluster.
871+
The ServiceAccount must have the necessary RBAC permissions to perform
872+
the operations associated with the Kustomization.
873+
874+
Example of RoleBinding in the target cluster granting the `admin` ClusterRole
875+
in a *namespaced* fashion (scoped to the `rbac-namespace` namespace):
876+
877+
```yaml
878+
apiVersion: rbac.authorization.k8s.io/v1
879+
kind: RoleBinding
880+
metadata:
881+
name: admin
882+
# This namespace DOES NOT have to match the Kustomization namespace.
883+
# It can be ANY namespace existing in the TARGET cluster.
884+
namespace: rbac-namespace
885+
roleRef:
886+
apiGroup: rbac.authorization.k8s.io
887+
kind: ClusterRole # Can be either Role or ClusterRole for RoleBinding.
888+
name: admin
889+
subjects:
890+
# This ServiceAccount MUST exist in the TARGET cluster,
891+
# but its namespace MUST match the Kustomization namespace
892+
# in the SOURCE cluster, i.e. the same namespace has to
893+
# exist in both clusters.
894+
- apiGroup: rbac.authorization.k8s.io
895+
kind: ServiceAccount
896+
name: apps-sa
897+
namespace: apps
898+
```
899+
900+
Depending on the permissions required for applying the manifests in the
901+
[source](#source-reference), you can create RoleBinding objects like the
902+
above in multiple/any namespaces of the target cluster. This includes the
903+
[target namespace](#target-namespace) of the Kustomization. You can also
904+
create ClusterRoleBindings if needed (they can only bind ClusterRoles).
879905

880906
#### Secret-based authentication
881907

0 commit comments

Comments
 (0)