RBAC

Most rules required to operate your vCluster are automatically generated by enabling resource syncing.

note

When enabled, the following config fields may adjust default rules:

• controlPlane.advanced.virtualScheduler: adds required read permissions for the virtual scheduler
• networking.replicateServices.fromHost: adds required permissions to manage endpoints and services
• observability.metrics.proxy.nodes: adds required read permissions for node resources
• plugins: adds roles and clusterRoles defined by each plugin
• experimental.multiNamespaceMode: adds required permissions for vCluster to manage namespaces and service accounts
• experimental.genericSync: adds extraRules defined by generic sync

Disable RBAC

In environments with strict controls where users cannot create service accounts, you may configure vCluster to use a managed service account. An administrator would be responsible for managing the Role, RoleBinding, ClusterRole, ClusterRoleBinding, and ServiceAccount resources. After you create these, update the vcluster.yaml to disable RBAC, and configure the control plane to use the managed ServiceAccount:

controlPlane:
  advanced:
    serviceAccount:
      name: custom-vc-sa
rbac:
  role:
    enabled: false
  clusterRole:
    enabled: false

Alternatively, you may disable ClusterRole creation, as many users do not have the required permissions to create ClusterRole resources:

rbac:
  clusterRole:
    enabled: false

Extra Rules

Configure extra rules for when the automatically generated rules, plugin rules, and genericSync rules are insufficient. The usage of extraRules should be rare, but this example shows its usage.

rbac:
  role:
    enabled: true
    extraRules:
      - apiGroups: [""]
        resources: ["pods/status", "pods/ephemeralcontainers"]
        verbs: ["patch", "update"]

Overwrite Rules

For better control use overwriteRules to ignore the automatically created rules. You are responsible for enumerating rules required for vCluster and its plugins to operate. This can be more convenient for managing permissions, as the vCluster Helm chart creates the Role, RoleBinding, and ServiceAccount while giving you complete control over the rules. This example disables cluster role rules and configures specific namespace permissions.

rbac:
  role:
    enabled: true
    overwriteRules:
      - apiGroups: [""]
        resources: ["pods/status", "pods/ephemeralcontainers"]
        verbs: ["patch", "update"]
  clusterRole:
    enabled: false

Config reference

rbac required object pro

RBAC options for the virtual cluster.

role required object pro

Role holds virtual cluster role configuration

enabled required boolean pro

Enabled defines if the role should be enabled or disabled.

extraRules required object[] pro

ExtraRules will add rules to the role.

overwriteRules required object[] pro

OverwriteRules will overwrite the role rules completely.

clusterRole required object pro

ClusterRole holds virtual cluster cluster role configuration

enabled required string|boolean pro

Enabled defines if the cluster role should be enabled or disabled. If auto, vCluster automatically determines whether the virtual cluster requires a cluster role.

extraRules required object[] pro

ExtraRules will add rules to the cluster role.

overwriteRules required object[] pro

OverwriteRules will overwrite the cluster role rules completely.