Kubernetes Permissions for the Armory Agent

Kubernetes permissions required by the Armory Agent.

Permissions

The Agent can use a kubeconfig file loaded as a Kubernetes secret when deploying to a remote cluster. Also, you can configure Agent permissions using a Kubernetes Service Account when deploying to the cluster the Armory Agent resides in.

The Agent should have ClusterRole authorization if you need to deploy pods across your cluster or Role authorization if you deploy pods only to a single namespace.

If Agent is running in Agent Mode, then the ClusterRole or Role is the one attached to the Kubernetes Service Account mounted by the Armory Agent pod.
If Agent is running in any of the other modes, then the ClusterRole or Role is the one the kubeconfigFile uses to interact with the target cluster. kubeconfigFile is configured in armory-agent.yml of the Armory Agent pod.

Example configuration for deploying Pod manifests:

ClusterRole
Role

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: agent-role
rules:
- apiGroups: ""
  resources:
  - pods
  - pods/log
  - pods/finalizers  
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: agent-role
rules:
- apiGroups: ""
  resources:
  - pods
  - pods/log
  - pods/finalizers  
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete

See the Install the Armory Agent Service Using Kubectl for a complete example that uses ClusterRole, ClusterRoleBinding, and ServiceAccount.

See the Kubernetes Using RBAC Authorization guide for details on configuring ClusterRole and Role authorization.

Feedback

Was this page helpful?

Thank you for letting us know!

Sorry to hear that. Please tell us how we can improve.

Last modified August 4, 2022: (256b89fe)