Enabling cross-namespace association restrictions
editEnabling cross-namespace association restrictions
editThis feature is disabled by default. To enable it, start the operator with the --enforce-rbac-on-refs
flag.
This feature only enforces an access control for resources deployed across two different namespaces. You can still create associations between resources deployed in a same namespace.
Once enabled, associations are allowed as long as the ServiceAccount
specified in the associated resource can execute HTTP GET
requests against the referenced Elasticsearch object.
ECK automatically removes any associations that do not have the correct access rights. If you have existing associations, do not enable this feature without creating the required Roles
and RoleBindings
as described in the following sections.
First create a ClusterRole
to allow HTTP GET
requests to be run against Elasticsearch objects:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: elasticsearch-association rules: - apiGroups: - elasticsearch.k8s.elastic.co resources: - elasticsearches verbs: - get
Then, create a ServiceAccount
and a RoleBinding
in the Elasticsearch namespace to allow any resource using the ServiceAccount
to associate with the Elasticsearch cluster:
> kubectl create serviceaccount associated-resource-sa
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: allow-associated-resource-from-remote-namespace namespace: elasticsearch-ns roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: elasticsearch-association subjects: - kind: ServiceAccount name: associated-resource-sa namespace: associated-resource-ns
Finally set the serviceAccountName
field in the associated resource to specify which ServiceAccount
is used to create the association:
apiVersion: kibana.k8s.elastic.co/v1 kind: Kibana metadata: name: associated-resource namespace: associated-resource-ns spec: ... elasticsearchRef: name: "elasticsearch-sample" namespace: "elasticsearch-ns" # Service account used by this resource to get access to an Elasticsearch cluster serviceAccountName: associated-resource-sa
In the above example, associated-resource
can be of any Kind
that requires an association to be created (for example Kibana
or the APMServer
).
You can find a complete example in the ECK GitHub repository.
If the serviceAccountName
is not set, then ECK uses the ServiceAccount
called default
.
The associated resource associated-resource
is now allowed to create an association with any Elasticsearch cluster in the namespace elasticsearch-ns
.