Kubernetes Permissions

The Pipekit Helm Chart will create two ServiceAccounts in the namespace you install Pipekit into. These ServiceAccounts are used to control the permissions of the various components of Pipekit.

pipekit

The primary ServiceAccount is called pipekit by default. This can be changed by setting global.serviceAccount.name in the Helm Chart values. This ServiceAccount is used by the Pipekit services to interact with the Kubernetes API. This ServiceAccount is given no extra permissions by default because it does not require them.

pipekit-job

A secondary ServiceAccount is created, called pipekit-job by default. The pipekit element of the name can be changed by setting global.serviceAccount.name in the Helm Chart values. This ServiceAccount is used by the pipekit-init kubernetes job that sets up and rotates various passwords used by the Pipekit services. This ServiceAccount is given the following permissions:

# Manage the creation of Kubernetes Secrets to store the various passwords created by the pipekit-init Kubernetes Job.
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
      - patch
      - create

# When the pipekit-init job is run, it will create a new secret to store the various passwords. This secret is then mounted into the various Pipekit services as a volume. This permission is required to allow the pipekit-init job to restart the `id` and `users` services after the secret has been created or changed so that we can ensure the new passwords are used by those services
  - apiGroups:
      - "apps"
    resources:
      - deployments
    verbs:
      - get
      - patch

Pipekit-Agent

The Pipekit-Agent is a separate component that is used to interact with your Argo installations. The permissions for this component are documented in the Pipekit-Agent documentation.