Cluster-Scoped Resources

Cluster-scoped resources are Kubernetes resources that are not namespace-scoped and can be used across the cluster. This topic provides details about the cluster-scoped resources in TIBCO Control Plane and data plane. These resources are deployed by default, regardless of whether the Allow cluster scoped permissions option is enabled or disabled. However, when the Allow cluster scoped permissions option is enabled, additional resources may be deployed.

TIBCO Control Plane

Custom Resource Definitions (CRDs)

Custom Resource Definitions (CRDs) are extensions of the Kubernetes API that define custom resources. They allow you to define and use custom objects in a Kubernetes cluster, effectively creating your own API objects to store and retrieve structured data. CRDs are powerful tools for extending Kubernetes functionality to meet specific application or operational requirements.

The following CRDs are deployed by various operators:

Hybrid Proxy

The following CRD is deployed to enable TIBCO Control Plane access to HTTP APIs of services running in the data plane:

tibcotunnelroutes.cloud.tibco.com

ResourceSet

The following resources are required for subscription or end-user applications, including Namespace, Network Policy, RBACs.

  • tibcoresourcesets.cloud.tibco.com

  • tibcoresourcesettemplates.cloud.tibco.com

Router

The router operator manages the routing of incoming HTTP requests to backend cloud services. Requests can be external (from the Internet) or internal (from another pod deployed in a data plane).

Router configuration and routing tables use four types of Kubernetes Custom Resources:

  1. TibcoRoute: Defines the mapping between a service and its endpoints (public or private, exposed on various listeners).

  2. TibcoIntercomRule: Defines access restrictions for endpoints published on the intercom listener.

  3. TibcoRouteOverride: Defines listener route overrides. This allows temporary proxy or redirecting of traffic for a given listener to an external URL (For example: To put an FQDN in maintenance mode).

  4. TibcoClusterEnv: Defines settings for the router. This is used to change internal router settings.

CRDs for Router:

  • tibcoclusterenvs.cloud.tibco.com

  • tibcointercomrules.cloud.tibco.com

  • tibcorouteoverrides.cloud.tibco.com

  • tibcoroutes.cloud.tibco.com

Data Plane

ClusterRoles

ClusterRoles are Kubernetes resources that define a set of permissions across the entire cluster. ClusterRoles can grant access to cluster-wide resources and non-resource endpoints. They are used in combination with ClusterRoleBindings to provide access control at the cluster level.

Two ClusterRoles and one cluster binding are created for the service account in the data plane:

  1. <dp-id>-ha-proxy-cluster-scope

  2. dp-<dp-id>

These ClusterRoles are used to grant necessary permissions to the data plane components, allowing the data plane components to interact with specific cluster-wide resources.

ClusterRoleBinding

To associate a ClusterRole with a specific service account, a ClusterRoleBinding is used. See the following example of how the dp-<dp-id> ClusterRole is bound to a Service Account:

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dp-<dp-id>
subjects:
- kind: ServiceAccount
  name: <name>
  namespace: <namespace>

This ClusterRoleBinding does the following:

  • It references the ClusterRole with the name dp-<dp-id>.

  • It binds this ClusterRole to a ServiceAccount with a specific <name> in the <namespace>.

  • This binding grants the permissions defined in the ClusterRole to the ServiceAccount, allowing it to perform the specified actions across the cluster.

Cluster-Scope Rules

The following rules define the permissions for the cluster-scoped resources in the data plane:

rules:
- apiGroups:
  - networking.k8s.io
  resources:
  - ingressclasses
  verbs:
  - list
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - list
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - list

These rules allow specific operations on ingress classes, namespaces, and custom resource definitions.

  • Listing of ingress classes

  • Listing of namespaces

  • Getting and listing of custom resource definitions

These permissions enable the data plane components to gather necessary information about the cluster configuration and available resources.