Creating ClusterRole and ClusterRoleBinding

When the Allow cluster scoped permissions option is disabled, you must manually create cluster-scoped ClusterRole and ClusterRoleBinding resources. The cpdpproxy component uses HAProxy which needs ClusterRole. For multiple namespace data plane, ClusterRole is required to scrape metrics from other namespaces. These steps must be performed before registering a data plane or upgrading an existing data plane in which cluster scoped permissions are disabled.

For single namespace data plane

Permissions included in this ClusterRole

The ClusterRole provides HAProxy with essential cluster-scoped permissions:

• IngressClasses: List all ingress classes for routing configuration

• Namespaces: List all namespaces for multi-tenant routing

• CustomResourceDefinitions: Get/list CRDs for extended functionality

Procedure

1. Export the required variables for your data plane configuration:

   export SERVICE_ACCOUNT_NAME="tibco-dp-sa"       # ServiceAccount from your chart
   export NAMESPACE="tibco-dp-prod"                # Dataplane Namespace 

2. Create the ClusterRole. This step creates a ClusterRole with permissions required by HAProxy.

   kubectl apply -f - <<EOF
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
     name: dataplane-cluster-role
   rules:
     - apiGroups: ["networking.k8s.io"]
       resources: ["ingressclasses"]
       verbs: ["list"]
     - apiGroups: [""]
       resources: ["namespaces"]
       verbs: ["list"]
     - apiGroups: ["apiextensions.k8s.io"]
       resources: ["customresourcedefinitions"]
       verbs: ["get", "list"]
   EOF
   

3. Create ClusterRoleBinding. This step creates a ClusterRoleBinding, allowing multiple ServiceAccounts to be associated with the same ClusterRole. This means a single ClusterRole and its corresponding ClusterRoleBinding can be utilized by several data planes.

   kubectl apply -f - <<EOF
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: dataplane-cluster-rolebinding
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: dataplane-cluster-role
   subjects:
   - kind: ServiceAccount
     name: ${SERVICE_ACCOUNT_NAME}
     namespace: ${NAMESPACE}
   EOF
   

For multi namespace data plane

Permissions included in this ClusterRole

The ClusterRole provides HAProxy and Observability components with essential cluster-scoped permissions:

HAProxy:

• IngressClasses: List all ingress classes for routing configuration

• Namespaces: List all namespaces for multi-tenant routing

• CustomResourceDefinitions: Get/list CRDs for extended functionality

Observability:

• Pods: List/Get/Watch pods for multi-namespace

• Namespaces: List/Get/Watch for multi-namespace

• Namespaces/Status: List/Get/Watch for multi-namespace

Procedure

1. Export the required variables for your data plane configuration.

   export SERVICE_ACCOUNT_NAME="tibco-dp-sa"       # ServiceAccount from your chart
   export NAMESPACE="tibco-dp-prod"                # Dataplane Namespace / Secondary Namespace

2. Create the ClusterRole. This step creates a ClusterRole with permissions required by HAProxy.

   kubectl apply -f - <<EOF
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
     name: dataplane-cluster-role
   rules:
     # HaProxy
     - apiGroups: ["networking.k8s.io"]
       resources: ["ingressclasses"]
       verbs: ["list"]
     - apiGroups: [""]
       resources: ["namespaces"]
       verbs: ["list"]
     - apiGroups: ["apiextensions.k8s.io"]
       resources: ["customresourcedefinitions"]
       verbs: ["get", "list"]
     # Observability
     - apiGroups: [""]
       resources: ["namespaces", "pods", "namespaces/status", "services"]
       verbs: ["list", "get", "watch"]
   EOF
   

3. Create ClusterRoleBinding. This step creates a ClusterRoleBinding, allowing multiple ServiceAccounts to be associated with the same ClusterRole. This means a single ClusterRole and its corresponding ClusterRoleBinding can be utilized by several data planes.

   kubectl apply -f - <<EOF
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: dataplane-cluster-rolebinding
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: dataplane-cluster-role
   subjects:
   - kind: ServiceAccount
     name: ${SERVICE_ACCOUNT_NAME}
     namespace: ${NAMESPACE}
   EOF
   

Example: Adding a new Data Plane (when cluster scope permissions are disabled)

When you deploy a new data plane, add its ServiceAccount to the existing ClusterRoleBinding and reuse the existing clusterRoles.

# Export variables for the new data plane
export NEW_DATAPLANE_SA="tibco-dp-sa"           # ServiceAccount from your chart
export NEW_DATAPLANE_NS="tibco-dp-test"         # Dataplane Namespace
export CLUSTER_ROLE_BINDING_NAME="dataplane-cluster-rolebinding"

# Add to existing ClusterRoleBinding
kubectl patch clusterrolebinding ${CLUSTER_ROLE_BINDING_NAME} --type='json' -p="[
  {
    \"op\": \"add\",
    \"path\": \"/subjects/-\",
    \"value\": {
      \"kind\": \"ServiceAccount\",
      \"name\": \"${NEW_DATAPLANE_SA}\",
      \"namespace\": \"${NEW_DATAPLANE_NS}\"
    }
  }
]"