Skip to main content

Sample setup KOBIL Shift operator deployment using predefined SA

This document describes additional steps required to deploy KOBIL Shift operator when

  • the deployment service account (service account used for deploying the Shift operator helm chart) does not have cluster admin rights but only namespace admin rights and
  • the roles assigned to the service account running Shift operator shall be as restrictive as possible.

Install the servicegroups.shift.kobil.com CustomResourceDefinition (CRD)

This step must be performed by the cluster admin.

This step must only be performed before initial deployment of Shift operator and when the CRD changes.

Fetch and extract the Shift operator helm chart using command

helm fetch kobil/shift-operator --untar

Install the CRD using command

kubectl apply -f ./shift-operator/crds/shift.kobil.com.yaml

Create cluster role for the CRD and assign it to the deployment user

These steps must be performed by the cluster admin.

These steps must only be performed before initial deployment of Shift operator.

Create a cluster role with the following content:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ks-shift-operator
rules:
  - apiGroups:
      - shift.kobil.com
    resources:
      - '*'
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch

Then assign the cluster role to the deployment service account. In the following command, replace

  • <name> with the name of the deployment service account and
  • <namespace> with the name of the namespace where the deployment service account resides.
kubectl create clusterrolebinding ks-shift-operator --clusterrole=ks-shift-operator --serviceaccount <namespace>:<name>

Create Service Account for the Shift operator and assign required roles

These steps can be performed by the deployment service account.

In the following commands, replace <namespace> with the name of the namespace where Shift and Shift operator will be deployed.

Create service account for the Shift operator.

kubectl -n <namespace> create serviceaccount shift-operator

Create the roles required by Shift operator service account:

kubectl -n <namespace> apply -f roles-operator.yaml
kubectl -n <namespace> apply -f roles-helm-deployment.yaml
kubectl -n <namespace> apply -f roles-for-granting.yaml
  • roles-operator.yaml contains a role with name shift-operator-operator and the permissions required by Shift operator for managing the custom resources from api group shift.kobil.com (ServiceGroups). This file is part of the Shift operator helm chart release.
  • roles-helm-deployment.yaml contains a role with name shift-operator-helm and the permissions required by Shift operator for deploying the Shift components helm charts. This file is part of a Shift helm chart release.
  • roles-for-granting.yaml contains a role with name shift-operator-grant and the permissions required certain service accounts which are created for the individual shift components. The Shift operator service account requires them to be able to grant them to other service accounts that it creates. This file is part of a Shift helm chart release.

Bind above created roles to the Shift operator service account:

kubectl -n <namespace> create rolebinding shift-operator-operator --role=shift-operator-operator --serviceaccount <namespace>:shift-operator
kubectl -n <namespace> create rolebinding shift-operator-helm     --role=shift-operator-helm     --serviceaccount <namespace>:shift-operator
kubectl -n <namespace> create rolebinding shift-operator-grant    --role=shift-operator-grant    --serviceaccount <namespace>:shift-operator

The deployment service account is able to create above roles and role bindings, because all contained permissions are included in the default namespace admin role and the cluster role ks-shift-operator created in the first step.

Deploy Shift operator

These steps can be performed by the deployment service account.

Add the following parameters to custom shift-operator-values.yaml to ensure that the service account shift-operator prepared in the previous steps is used.

pod:
  serviceAccount:
    create: false
    name: "shift-operator"
rbac:
  create: false

Deploy Shift operator using the following command. The flag --skip-crd instructs helm to skip deployment or the CustomResourceDefinition which would require cluster admin permissions.

helm install shift-operator -f shift-operator-values.yaml kobil/shift-operator --skip-crd