Add an working example for rbac.md.

Signed-off-by: Xun Jiang <jxun@vmware.com>
vmware-tanzu · Oct 8, 2023 · 0a53bff · 0a53bff
1 parent b7cc62d
commit 0a53bff
Showing 1 changed file with 46 additions and 5 deletions.
diff --git a/site/content/docs/main/rbac.md b/site/content/docs/main/rbac.md
@@ -9,9 +9,9 @@ By default Velero runs with an RBAC policy of ClusterRole `cluster-admin`. This
 
 For more information about RBAC and access control generally in Kubernetes, see the Kubernetes documentation about [access control][1], [managing service accounts][2], and [RBAC authorization][3].
 
-## Set up Roles and RoleBindings
+## Set up restricted RBAC permissions setting
 
-Here's a sample Role and RoleBinding pair.
+Here's a sample restricted permission setting.
 
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -28,22 +28,63 @@ rules:
       - "*"
     resources:
       - "*"
-```
-
-```yaml
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: ROLEBINDING_NAME_HERE
+  namespace: YOUR_NAMESPACE_HERE
 subjects:
   - kind: ServiceAccount
     name: YOUR_SERVICEACCOUNT_HERE
 roleRef:
   kind: Role
   name: ROLE_NAME_HERE
   apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: velero-clusterrole
+rules:
+- apiGroups: 
+  - ""
+  resources:
+  - persistentvolumes
+  - namespaces
+  verbs:
+  - '*'
+- apiGroups: 
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - list
+- apiGroups:
+  - 'apiextensions.k8s.io'
+  resources:
+  - 'customresourcedefinitions'
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: velero-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: velero-clusterrole
+subjects:
+  - kind: ServiceAccount
+    name: YOUR_SERVICEACCOUNT_HERE
+    namespace: YOUR_NAMESPACE_HERE
 ```
 
+You can add more permissions into the `Role` setting according the need.
+`velero-clusterrole` ClusterRole is verified to work in most cases.
+`Namespaces` resource permission is needed to create namespace during restore. If you don't need that, the `create` permission can be removed, but `list` and `get` permissions of `Namespaces` resource is still needed, because Velero needs to know whether the namespace it's assigned exists in the cluster.
+
 [1]: https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/
 [2]: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/
 [3]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/