RBAC support (#812)

Bregor · vdice · commit 567705b5391a · 2017-05-31T14:12:01.000-06:00
Adds RBAC support for Workflow, see also: - deis/builder#513 - deis/controller#1292 - deis/fluentd#96 - deis/monitor#195 - deis/router#344
diff --git a/charts/workflow/values.yaml b/charts/workflow/values.yaml
@@ -68,6 +68,13 @@ global:
   # In case of CNI you can not use `hostPort` notation due to https://github.com/kubernetes/kubernetes/issues/23920
   # registry_proxy_bind_addr: "80"
 
+  # Enable usage of RBAC authorization mode
+  #
+  # Valid values are:
+  # - true: all RBAC-related manifests will be installed (in case your cluster supports RBAC)
+  # - false: no RBAC-related manifests will be installed
+  use_rbac: false
+
 
 s3:
   # Your AWS access key. Leave it empty if you want to use IAM credentials.
diff --git a/src/installing-workflow/index.md b/src/installing-workflow/index.md
@@ -19,6 +19,28 @@ Client: &version.Version{SemVer:"v2.1.3", GitCommit:"5cbc48fb305ca4bf68c26eb8d2a
 Server: &version.Version{SemVer:"v2.1.3", GitCommit:"5cbc48fb305ca4bf68c26eb8d2a7eb363227e973", GitTreeState:"clean"}
 ```
 
+### Check Your Authorization
+
+If your cluster uses [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) for authorization, `helm` will need to be granted the necessary permissions to create Workflow resources.
+This can be done with the following commands:
+
+```
+$ kubectl create sa tiller-deploy -n kube-system
+$ kubectl create clusterrolebinding helm --clusterrole=cluster-admin --serviceaccount=kube-system:tiller-deploy
+$ helm init --service-account=tiller-deploy
+```
+
+If `helm` is already installed in cluster without sufficient rights, the only way for now is to reinstall it:
+
+```
+$ kubectl delete deployment tiller-deploy -n kube-system
+$ kubectl create sa tiller-deploy -n kube-system
+$ kubectl create clusterrolebinding helm --clusterrole=cluster-admin --serviceaccount=kube-system:tiller-deploy
+$ helm init --service-account=tiller-deploy
+```
+
+**Note**: Specific `helm` permissions haven't been sorted yet and details may change (watch `helm` [docs](https://github.com/kubernetes/helm/tree/master/docs))
+
 ## Choose Your Deployment Strategy
 
 Deis Workflow includes everything it needs to run out of the box. However, these defaults are aimed at simplicity rather than
diff --git a/src/managing-workflow/production-deployments.md b/src/managing-workflow/production-deployments.md
@@ -62,9 +62,22 @@ deis-router Deployment to run more than one router pod. This can be accomplished
 `kubectl --namespace=deis scale --replicas=2 deployment/deis-router`
 
 ## Using on-cluster registry with CNI
+
 If you are using [CNI](https://github.com/containernetworking/cni) for managing container network, you cannot use `hostPort` notation due to [this issue](https://github.com/kubernetes/kubernetes/issues/23920).
 In this case you could enable CNI for `deis-registry-proxy` by setting `use_cni` variable to `true` inside `values.yaml` or by adding `--set global.use_cni=true` to `helm`'s args.
 
+## Running Workflow with RBAC
+
+If your cluster has [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) amongst your [authorization](https://kubernetes.io/docs/admin/authorization/) modes (`$ kubectl api-versions` should contains `rbac.authorization.k8s.io`) it may be necessary to enable RBAC in Workflow.
+This can be achieved by setting `use_rbac` in the `global` section of `values.yaml` to `true`, or by adding `--set=global.use_rbac=true` to the `$ helm install/upgrade` command.
+RBAC support was announced in Kubernetes-1.5 and is enabled by default if:
+- your Kubernetes cluster is in GKE
+- your Kubernetes cluster built with [kubeadm](https://kubernetes.io/docs/getting-started-guides/kubeadm/)
+
+**Note**: helm may need to be given [specific permissions][helm specific permissions] under RBAC if not already done.
+
+**Attention**: Azure ACS Kubernetes clusters are not RBAC-enabled for today due to lack in authentication strategy. Feel free to watch this [PR](https://github.com/kubernetes/kubernetes/pull/43987) for more details.
+
 [configuring object storage]: ../installing-workflow/configuring-object-storage.md
 [customizing controller]: tuning-component-settings.md#customizing-the-controller
 [customizing monitor]: tuning-component-settings.md#customizing-the-monitor
@@ -74,3 +87,4 @@ In this case you could enable CNI for `deis-registry-proxy` by setting `use_cni`
 [platform ssl]: platform-ssl.md
 [registry]: ../understanding-workflow/components.md#registry
 [security considerations]: security-considerations.md
+[helm specific permissions]: ../installing-workflow/index.md#check-your-authorization
