Rio can be configured and used in a multi-tenant environment while providing the best practices for security.
This section requires basic knowledge of Kubernetes RBAC. To learn more about RBAC, go here.
By default Rio creates four roles
rio-standard. Detailed permissions can be found in here.
To create a binding from one of the roles to your user and group in default namespace:
apiVersion: rbac.authorization.k8s.io/v1 # This role binding allows "jane" to have rio admin access in the "default" namespace. kind: RoleBinding metadata: name: rio-admin namespace: default subjects: - kind: User name: jane # Name is case sensitive apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: rio-admin apiGroup: rbac.authorization.k8s.io
Note: Pre-defined roles are experimental and subject to change.
Rio by default restricts users without admin permissions from deploying containers with insecure parameters. This is done by implementing a validatingMutationWebhook.
The following fields are protected by default:
- Enable and disable sidecar injection
- Privileged containers
To enable a user to have these permissions, the following verbs must be granted on a role that is bound with the user:
For example, to create a role with permission to launch privileged containers:
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: run-privileged rules: - apiGroups: ["rio.cattle.io"] resources: ["services"] verbs: ["create", "update", "delete", "rio-privileged"]
Then follow the previous example to bind the user to this role.