Skip to content

workspace-capabilities.md

Latest commit

 

History

History
135 lines (130 loc) · 3.25 KB

workspace-capabilities.md

File metadata and controls

135 lines (130 loc) · 3.25 KB

Default DevWorkspace cluster permissions

This document outlines the permissions that are provisioned for the DevWorkspace service account by default. The role attached to the workspace ServiceAccount is defined in rbac.go. As a regular Kubernetes role definition, this is

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: workspace
rules:
- apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  - extensions
  resources:
  - deployments
  - replicasets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - create
  - patch
  - update
  - delete
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - create
  - patch
  - update
  - delete
- apiGroups:
  - workspace.devfile.io
  resources:
  - devworkspaces
  verbs:
  - get
  - watch
  - list
  - patch
  - update
- apiGroups:
  - controller.devfile.io
  resources:
  - devworkspaceroutings
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - workspace.devfile.io
  resources:
  - devworkspacetemplates
  verbs:
  - get
  - create
  - patch
  - update
  - delete
  - list
  - watch

Additional permissions can be bound to the DevWorkspace ServiceAccount as follows:

  1. Find the DevWorkspace ID for the DevWorkspace in question. This is available on the .status.devworkspaceId field in the object, which can be obtained using jq: 
    DEVWORKSPACE_ID=$(kubectl get devworkspaces <workspace-name> -o json | jq -r '.status.devworkspaceId')
    The service account created for the DevWorkspace will be named ${DEVWORKSPACE_ID}-sa
  2. Create a rolebinding to attach a custom role to the workspace service account: 
    NAMESPACE=<workspace namespace>
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: workspace-${DEVWORKSPACE_ID}-custom-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: <custom role name>
subjects:
- kind: ServiceAccount
  name: ${DEVWORKSPACE_ID}-sa
  namespace: $NAMESPACE
EOF
    where <current namespace> is the namespace of the workspace, and <custom role name> is the name of role to be bound to the DevWorkspace.

In order to grant permissions to all workspaces in a given namespace, the RoleBinding can instead bind to all ServiceAccounts in the namespace:

NAMESPACE=<workspace namespace>
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: devworkspace-custom-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: <custom role name>
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts:$NAMESPACE
EOF

Note however that this will bind the role to all service accounts in that namespace, including the default serviceaccount used for pods.

For more information on creating rolebindings, see rolebinding and clusterrolebinding in the Kubernetes documentation.