Authorize users and groups to claim from provisioner-based classes

This Services Toolkit topic for service operators explains how you configure access control so that the required users and groups have authorization to claim from provisioner-based classes.

By default, only users with cluster-admin privileges are authorized to create claims for provisioner-based classes. This is because creating claims for provisioner-based classes creates new service instances, all of which consume resources and might incur monetary cost. As such, you might want to configure some form of access control.

There is one exception to this rule, which is that by default, users with the app-operator user role are authorized to create claims for the provisioner-based classes that are part of the Bitnami Services package. For how-to deactivate this default behavior, see Revoke default authorization for claiming from the Bitnami Services classes later in this topic.

Access control is implemented through standard Kubernetes Role-Based Access Control (RBAC) with the use of the custom verb claim. You must create a rule in a ClusterRole which specifies the claim verb for one or more clusterinstanceclasses, and then bind the ClusterRole to the roles that you want to authorize to create claims for classes with a ClusterRoleBinding. This approach is particularly effective when paired with Tanzu Application Platform’s aggregated user roles. For more information about user roles in Tanzu Application Platform, see Role descriptions.

Authorize all users with the app-operator user role to claim from any namespace

Create a ClusterRole with a rule that specifies the claim verb for one or more ClusterInstanceClass resources and apply the relevant label.

For example:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: app-operator-claim-class-bigcorp-rabbitmq
  labels:
    apps.tanzu.vmware.com/aggregate-to-app-operator-cluster-access: "true"
rules:
- apiGroups:
  - services.apps.tanzu.vmware.com
  resources:
  - clusterinstanceclasses
  resourceNames:
  - bigcorp-rabbitmq
  verbs:
  - claim

This example specifies a ClusterRole that permits claiming from a class named bigcorp-rabbitmq. The example also includes the apps.tanzu.vmware.com/aggregate-to-app-operator-cluster-access: "true" label, which causes this ClusterRole to aggregate to Tanzu Application Platform’s app-operator user role at the cluster scope.

The result is that any user who has the app-operator role is now authorized to claim from the bigcorp-rabbitmq class. By default, the app-operator user role is authorized to create claims for the provisioner-based class.

Authorize a user to claim from a specific namespace

Create a ClusterRole with a rule that specifies the claim verb for one or more ClusterInstanceClass resource and a corresponding RoleBinding to bind it to a user.

For example:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: claim-class-bigcorp-rabbitmq
rules:
- apiGroups:
  - services.apps.tanzu.vmware.com
  resources:
  - clusterinstanceclasses
  resourceNames:
  - bigcorp-rabbitmq
  verbs:
  - claim

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: alice-claim-class-bigcorp-rabbitmq
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: claim-class-bigcorp-rabbitmq
subjects:
- kind: User
  name: "alice@example.com"
  apiGroup: rbac.authorization.k8s.io

This example specifies a ClusterRole that permits claiming from a class named bigcorp-rabbitmq. The YAML also creates a ClusterRoleBindingthat binds the user alice@example.com to the ClusterRole.

The result is that alice@example.com is now authorized to claim from bigcorp-rabbitmq class.

The user alice@example.com still needs permission to create ClassClaims in namespaces that they want to consume the services from.

The following example gives alice@example.com permission to get, create, update, or delete ClassClaims in the apps namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
   name: create-class-claim-example
   namespace: apps
rules:
  - apiGroups:
    - services.apps.tanzu.vmware.com
    resources:
    - classclaims
    verbs:
    - get
    - create
    - update
    - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: rbac-role-binding-role-binding
  namespace: apps
subjects:
  - kind: User
    name: "alice@example.com"
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: create-class-claim-example
  apiGroup: rbac.authorization.k8s.io

Revoke default authorization for claiming from the Bitnami Services classes

By default, users with the app-operator user role are authorized to create claims for the provisioner-based classes which are part of the Bitnami Services package.

To revoke this authorization:

  1. Add the following to your tap-values.yaml file:

    bitnami_services:
      globals:
        create_clusterroles: false
    
  2. Update Tanzu Application Platform by running:

    tanzu package installed update tap -p tap.tanzu.vmware.com --values-file tap-values.yaml -n tap-install
    

The result is that any user who has the app-operator role is now not authorized to create claims for any of the Bitnami services in any namespace on the cluster.

check-circle-line exclamation-circle-line close-line
Scroll to top icon