KOTS: Existing Cluster: Conditionally Specify Minimal RBAC


#1

Is there a way to pass requireMinimalRBACPrivileges through the kots install command so it’s only used for particular clients? It seems setting this globally in application.yaml affects all clients and removes snapshotting by default, impairs preflights etc, but typically we would only need it in a restricted environment like Openshift.

Is it possible to define this on a per-installation basis?


#2

There is currently no install-time flag to toggle which set of RBAC permissions that the KOTS in-cluster components are installed with. The best answer here might be to create two channels, and in your CI process, after a standard release, patch the application.yaml and push the same release to a “Minimal RBAC” or “Openshift” channel. End customer can then install with either

kubectl kots install myapp

or

kubectl kots install myapp/openshift

Also, in the case where minimal RBAC is used:

  • Preflights can be run manually by the installing user (prompt in the UI)
  • Snapshots can be enabled after the fact with
kubectl kots velero ensure-permissions \
  --velero-namespace velero \
  -n <namespace of kotsadm>

Motivation

I believe part of the goal of not having an install-time flag to control RBAC scope is to prevent end users from forcing minimal RBAC when an application does not support it, but I could see a use case for flagging on something like “supportsMinimalRBAC” at the application level without forcing it on for every install. This application-level flag would allow end users to toggle off the cluster-wide RBAC at install time. While I could see the case for this, it is not a planned feature at this time.

Overall we believe that minimizing RBAC scope for the KOTS installation is a best practice, even when the environment does not necessarily require it. We will continue to improve the UX here around doing things that require higher permissions when the KOTS in-cluster components aren’t able to do these things independently