Kubernetes Permissions for the Armory Agent
Early AccessThe information below is written for an Early Access feature. Contact us if you are interested in using this feature! Your feedback will help shape the development of this feature.
Do not use Early Access features in a production instance of Armory Enterprise.
The Agent can use a
kubeconfig file loaded as a Kubernetes secret when deploying to a remote cluster. Also, you can configure Agent permissions using a Kubernetes Service Account when deploying to the cluster the Agent resides in.
The Agent should have
ClusterRole authorization if you need to deploy pods across your cluster or
Role authorization if you deploy pods only to a single namespace.
- If Agent is running in Agent Mode, then the
Roleis the one attached to the Kubernetes Service Account mounted by the Agent pod.
- If Agent is running in any of the other modes, then the
Roleis the one the
kubeconfigFileuses to interact with the target cluster.
kubeconfigFileis configured in
kubesvc.ymlof the Agent pod.
Example configuration for deploying
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: agent-role rules: - apiGroups: "" resources: - pods - pods/log - pods/finalizers verbs: - get - list - watch - create - update - patch - delete
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: agent-role rules: - apiGroups: "" resources: - pods - pods/log - pods/finalizers verbs: - get - list - watch - create - update - patch - delete
See the Quickstart’s Configure permissions section for a complete example that uses
See the Kubernetes Using RBAC Authorization guide for details on configuring
Was this page helpful?
Thank you for letting us know!
Sorry to hear that. Please tell us how we can improve.
Last modified July 14, 2021: (46d0913)