loader

Creating Cluster Roles
Introduction

Before a user is able to install KubeSlice and begin creating slices, it is recommended to perform the installation with the role of Cluster Admin.

Follow along to create and apply the files required to enable the proper roles for the installation of KubeSlice.

Note
These steps should be followed for all clusters you wish to include in the KubeSlice Slice.
ClusterRole

Creating the clusterrole.yaml File

Create a file named clusterrrole.yaml in your working directory, and paste the below contents into the file. This file defines the ClusterRole to be deployed to each Kubernetes cluster.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: avesha-installer-cluster-role
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
 - apiGroups: ["rbac.authorization.k8s.io"]
   resources: ["clusterroles", "roles"]
   verbs: ["create", "bind", “delete”]
 - apiGroups: ["rbac.authorization.k8s.io"]
   resources: ["clusterrolebindings", "rolebindings"]
   verbs: ["create", “delete”]
 - apiGroups: ["networkservicemesh.io"]
   resources:
 - "networkservices"
 - "networkserviceendpoints"
 - "networkservicemanagers"
   verbs: ["*"]
 - apiGroups: ["mesh.avesha.io"]
   resources: ["slice", "slice/finalizers", "slice/status"]
   verbs: ["*"]
 - apiGroups: ["mesh.avesha.io"]
   resources: ["slicegateways", "slicegateways/finalizers", "slicegateways/status"]
   verbs: ["*"]
 - apiGroups: ["apiextensions.k8s.io"]
   resources: ["customresourcedefinitions"]
   verbs: ["*"]
 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]
   verbs: ["create", "get", "list", "update"]
 - apiGroups: [""]
   resources: ["nodes"]
   verbs: ["get", "list", "watch"]
 - apiGroups: [""]
   resources: ["configmaps"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["apps"]
   resources: ["daemonsets"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["apps"]
   resources: ["deployments"]
   verbs: ["get", "list", "watch"]
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["get", "list", "watch"]
 - apiGroups: [""]
   resources: ["services"]
   verbs: ["get", "update", "list", "watch", "create", "patch", "delete"]
 - apiGroups: [""]
   resources: ["endpoints"]
   verbs: ["get", "update", "list", "watch", "create", "patch", "delete"]
 - apiGroups: [""]
   resources: ["namespaces"]
   verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
 - apiGroups: ["networking.k8s.io"]
   resources: ["networkpolicies"]
   verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
 - apiGroups: ["mesh.avesha.io"]
   resources: ["serviceexports", "serviceexports/finalizers", "serviceexports/status"]
   verbs: ["get", "update", "list", "watch", "create", "patch", "delete"]
 - apiGroups: ["mesh.avesha.io"]
   resources: ["serviceimports", "serviceimports/finalizers", "serviceimports/status"]
   verbs: ["get", "update", "list", "watch", "create", "patch", "delete"]
 - apiGroups: ["mesh.avesha.io"]
   resources: ["sliceingresses", "sliceingresses/finalizers", "sliceingresses/status"]
   verbs: ["get", "update", "list", "watch", "create", "patch", "delete"]
 - apiGroups: ["networking.istio.io"]
   resources: ["gateways"]
   verbs: ["get", "update", "list", "watch", "create", "delete"]
 - apiGroups: ["networking.istio.io"]
   resources: ["serviceentries"]
   verbs: ["get", "update", "list", "watch", "create", "delete"]
 - apiGroups: ["networking.istio.io"]
   resources: ["virtualservices"]
   verbs: ["get", "update", "list", "watch", "create", "delete"]

Applying the clusterrole.yaml File

Apply the created clusterrole.yaml file using the below command:

kubectl apply -f clusterrole.yaml
ClusterRoleBinding

Creating the clusterrolebinding.yaml File

Create a file named clusterrolebinding.yaml in your working directory, and paste the below contents into the file. This file defines the ClusterRoleBinding to be deployed to each Kubernetes cluster. All fields below should remain the same except for the subjects: name: segment.

Note
For IBM IKS, the subjects: name: value should reflect: IAM# All others will simply use for the subjects: name: values.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: avesha-installer-cluster-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: avesha-installer-cluster-role
subjects:
  - kind: User
    name: <username> | IAM#<username>

Applying the clusterrolebinding.yaml File

Note
Make sure to replace | IAM# (IBM IKS) before applying the above configuration!

Apply the filled-in clusterrole.yaml file using the below command:

kubectl apply -f clusterrolebinding.yaml
InstallerRole

Creating the installerrole.yaml File

Create a file named installerrole.yaml in your working directory, and paste the below contents into the file. This file defines the InstallerRole to be deployed to each Kubernetes cluster.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: avesha-installer-role
  namespace: avesha-system
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "update", "list", "watch", "create", "patch", "delete"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "update", "list", "watch", "create", "patch", "delete"]
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get", "update", "list", "watch", "create", "patch", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  - apiGroups: ["apps"]
    resources: ["daemonsets"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]

Applying the installerrole.yaml File

Apply the created installerrole.yaml file using the below command:

kubectl apply -f installerrrole.yaml
InstallerRoleBinding

Creating the installerrolebinding.yaml File

Create a file named installerrolebinding.yaml in your working directory, and paste the below contents into the file. This file defines the InstallerRoleBinding to be deployed to each Kubernetes cluster. All fields below should remain the same except for the subjects: name: segment.

Note
For IBM IKS, the subjects: name: value should reflect: IAM# All others will simply use for the subjects: name: values.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: avesha-installer-role-binding
  namespace: avesha-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: avesha-installer-role
subjects:
  - kind: User
    name: <username> | IAM#<username>


Applying the installerrolebinding.yaml File

Note
Make sure to replace | IAM# (IBM IKS) before applying the above configuration!

Apply the filled-in installerrolebinding.yaml file using the below command:

kubectl apply -f installerrolebinding.yaml
Note
You have successfully created the necessary cluster roles to allow a non admin to install KubeSlice.
Next Steps

Next, you will visit the KubeSlice account signup page to retrieve the API key and Token required to get started. Great Work!


< PREVIOUS
Prerequisites Before you get started installing KubeSlice, there are some prerequisites that must be completed. Follow along below to ensure you have an environment set up which will support KubeSlice installation. Read More
NEXT >
Account Signup To use KubeSlice, you must first visit the KubeSlice registration page and retrieve your unique API key and Token. These values will allow you to complete your KubeSlice installation successfully. Read More