RBAC in Tanzu Build Service

Page last updated:

Given that Tanzu Build Service supports functionality most customers would likely want to restrict to only certain users, we encourage utilization of RBAC as a best practice if Tanzu Build Service is to be broadly deployed for usage by many users.

RBAC using Projects Operator

Projects Operator can be installed on the cluster to simplify RBAC management.

Projects Operator extends kubernetes with a Project CRD and corresponding controller. Projects are intended to provide isolation of kubernetes resources on a single kubernetes cluster. A Project is essentially a kubernetes namespace along with a corresponding set of RBAC rules.

As part of the Projects Operator installation, you can specify the ClusterRole to apply for each Project using the CLUSTER_ROLE_REF environment variable. The TBS installation comes with a ClusterRole called build-service-user-role which can be used for this purpose.

RBAC Support in Tanzu Build Service

Tanzu Build Service is installed with 2 Kubernetes ClusterRoles that can be used for RBAC for Build Service users and admins:

  • build-service-user-role
  • build-service-admin-role

Build Service User Role

This should be used for users that will create Images and Builds.

To view the configuration for this role:

kubectl get clusterrole build-service-user-role -o yaml

To use this ClusterRole you should create a RoleBinding with an existing user.

Example:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: my-build-service-user-role-binding
  namespace: my-build-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: build-service-user-role
subjects:
- kind: User
  name: my-user

Build Service Admin Role

This should be used for admin users that will operate Tanzu Build Service.

To view the configuration for this role:

kubectl get clusterrole build-service-admin-role -o yaml

To use this ClusterRole you should create a RoleBinding or ClusterRoleBinding with an existing user.

Example:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-build-service-admin-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: build-service-admin-role
subjects:
- kind: User
  name: my-cluster-wide-admin-user