Docker Community Forums

Share and learn in the Docker community.

Enable rbac.authorization.k8s.io for kube-apiserver


(Tdovan) #1

By default, the kube-apiserver does not have the rbac.authorization.k8s.io
I’m trying to activate the rbac.authorization.k8s.io/v1=true. do you know how to enable this ?

–runtime-config=admissionregistration.k8s.io/v1alpha1,rbac.authorization.k8s.io/v1=false,rbac.authorization.k8s.io/v1beta1=false


(Vivek Saraswat) #2

Hi tdovan, this is the default Kubernetes RBAC, correct? This cannot enabled in this version of UCP, as UCP uses its own RBAC system. In the future, we are assessing how to add Kube default RBAC compatibility.


(Wsitscorpid) #3

Hi @vsaraswat, can you share what info you have on the progress of this? Is there a Docker EE roadmap which talks to providing default kubernetes RBAC support?

Not having the rbac.authorization.k8s.io API within the Docker EE platform is quite restrictive. One can’t deploy any Helm charts with RBAC enabled.

One is also not able to deploy any of the new Kubernetes Operators. The Operators all construct their own custom APIs as well as associated roles. This again is done through the rbac.authorization.k8s.io API.

As an example the Oracle/MySQL-Operator has four different roles and sets of permissions. This would require a bit of effort to translate into the Docker EE roles/grants and will require future testing whenever updated. This kind of customization defeats the purpose of Operator Framework.


(Docana) #4

Any updates on this?