Documentation
This is the documentation for the latest development version of Cartographer. Both code and docs may be unstable and these docs are not guaranteed to be up to date or correct. See the latest version.
Authentication
Owner Permissions
Cartographer requires a service account that permits all actions on the GVKs specified in templates.
Per namespace service account
The operator provides a name for the service account that is used (but not the namespace). Typically, the operator will ensure that a service account with sufficient privileges exists in each developer namespace.
The developer can still override the service account name.
---
kind: ClusterSupplyChain|ClusterDelivery
spec:
serviceAccountRef:
name: "operator-chosen-name"
namespace: # not provided
---
kind: Workload|Deliverable
metadata:
namespace: my-developer-ns
spec:
serviceAccountName: # not provided
The selected service account is:
---
kind: ServiceAccount
metadata:
name: operator-chosen-name
namespace: my-developer-ns
Single service account
The operator provides a reference to a single service account that is used. The operator will ensure that one service account with sufficient privileges exists.
The developer can still override the service account name.
---
kind: ClusterSupplyChain|ClusterDelivery
spec:
serviceAccountRef:
name: operator-chosen-name
namespace: operator-chosen-namespace
---
kind: Workload|Deliverable
metadata:
namespace: my-developer-ns
spec:
serviceAccountName: # not provided
The selected service account is:
---
kind: ServiceAccount
metadata:
name: operator-chosen-name
namespace: operator-chosen-namespace
Developer selected service account
The developer provides a name for a service account that is in the same namespace as the owner (Workload/Deliverable) they are creating. This takes precedence over operator provided service accounts. Of course the service account still requires full permissions for the objects created by the blueprint.
---
kind: ClusterSupplyChain|ClusterDelivery
spec:
serviceAccountRef:
name: # n/a
namespace: # n/a
---
kind: Workload|Deliverable
metadata:
namespace: my-developer-ns
spec:
serviceAccountName: workload-specific-sa
The selected service account is:
---
kind: ServiceAccount
metadata:
name: workload-specific-sa
namespace: my-developer-ns
Default service account
If a service account is not specified in the blueprint or the owner, the default service account in the owner
namespace is used.
Note: The default service account is unlikely to have the necessary permissions.
---
kind: ClusterSupplyChain|ClusterDelivery
spec:
serviceAccountRef: {} # Not provided!
---
kind: Workload|Deliverable
metadata:
namespace: my-developer-ns
spec:
serviceAccountName: # Not provided!
The selected service account is:
---
kind: ServiceAccount
metadata:
name: default
namespace: my-developer-ns
Cartographer Controller Permissions
Cartographer has its own service account, cartographer-controller in the cartographer-system namespace. The
clusterrole that’s bound to the service account is:
kubectl get clusterrole cartographer-controller-admin -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cartographer-controller-admin
rules:
- apiGroups:
- carto.run
resources:
- workloads/status
- clustersupplychains/status
- runnables/status
- clusterdeliveries/status
- deliverables/status
verbs:
- create
- update
- delete
- patch
- apiGroups:
- '*'
resources:
- '*'
verbs:
- watch
- get
- list
Edit