RBAC Setup for Expanso
Configure service accounts and RBAC permissions for Expanso to read cluster data and logs.
Service Account
Create a dedicated service account for Expanso:
apiVersion: v1
kind: ServiceAccount
metadata:
name: expanso-edge
namespace: expanso-system
ClusterRole
Define permissions for reading logs and cluster state:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: expanso-edge-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log", "nodes", "namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "daemonsets", "statefulsets"]
verbs: ["get", "list"]
- apiGroups: ["config.openshift.io"]
resources: ["clusteroperators"]
verbs: ["get", "list"]
ClusterRoleBinding
Bind the role to the service account:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: expanso-edge-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: expanso-edge-reader
subjects:
- kind: ServiceAccount
name: expanso-edge
namespace: expanso-system
Apply Configuration
Save all three resources to a file and apply:
# Save to expanso-rbac.yaml
cat > expanso-rbac.yaml <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: expanso-edge
namespace: expanso-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: expanso-edge-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log", "nodes", "namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "daemonsets", "statefulsets"]
verbs: ["get", "list"]
- apiGroups: ["config.openshift.io"]
resources: ["clusteroperators"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: expanso-edge-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: expanso-edge-reader
subjects:
- kind: ServiceAccount
name: expanso-edge
namespace: expanso-system
EOF
# Apply all resources
oc apply -f expanso-rbac.yaml
Verify Permissions
Test that the service account has the required permissions:
# Check pod read access
oc auth can-i get pods --all-namespaces \
--as=system:serviceaccount:expanso-system:expanso-edge
# Check log read access
oc auth can-i get pods/log --all-namespaces \
--as=system:serviceaccount:expanso-system:expanso-edge
# Check node read access
oc auth can-i get nodes \
--as=system:serviceaccount:expanso-system:expanso-edge
# Check cluster operator access
oc auth can-i get clusteroperators \
--as=system:serviceaccount:expanso-system:expanso-edge
All commands should return yes.
Permissions Explained
pods, pods/log: Read pod metadata and logs
- Required for log collection
- Read-only access across all namespaces
nodes: Read node status and resource usage
- Required for health monitoring
- No write access
namespaces: List and read namespaces
- Required for multi-namespace operations
deployments, daemonsets, statefulsets: Read workload metadata
- Optional: for advanced monitoring
- Can be removed if not needed
clusteroperators: Read OpenShift operator status
- Required for cluster health monitoring
- OpenShift-specific resource
Security Considerations
Principle of least privilege: Expanso only has read access, no write permissions
Cluster-wide access: ClusterRole allows reading from all namespaces
- Required for comprehensive log collection
- Cannot modify any resources
No secrets access: Service account cannot read secrets or configmaps
Audit trail: All actions are logged with the service account identity
Namespace-Scoped Alternative
For single-namespace deployments, use a Role instead of ClusterRole:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: expanso-edge-reader
namespace: production
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list", "watch"]
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: expanso-edge-reader
namespace: production
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: expanso-edge-reader
subjects:
- kind: ServiceAccount
name: expanso-edge
namespace: expanso-system
Troubleshooting
Permission denied errors:
# Check current permissions
oc describe clusterrolebinding expanso-edge-reader
# Verify service account exists
oc get serviceaccount expanso-edge -n expanso-system
# Check pod is using correct service account
oc get pod -n expanso-system -o yaml | grep serviceAccountName
Next Steps
- Deploy Expanso: Use this service account in deployment
- Collect Logs: Start collecting with proper permissions
- Best Practices: Security recommendations for SNO