RBAC Configuration

Overview

The OpsWorker Kubernetes Agent uses Kubernetes RBAC (Role-Based Access Control) to define what resources it can access. The Helm chart creates default RBAC resources during installation.

Default Permissions

The Helm chart creates a ClusterRole with read-only access to common resource types:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: opsworker-agent
rules:
  - apiGroups: [""]
    resources: ["pods", "pods/log", "services", "endpoints",
                "events", "configmaps", "secrets", "nodes",
                "namespaces", "replicationcontrollers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apps"]
    resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]

A ClusterRoleBinding links this role to the agent's ServiceAccount.

Namespace-Scoped Access

To restrict the agent to specific namespaces, replace the ClusterRole/ClusterRoleBinding with namespace-scoped Role/RoleBinding resources:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: opsworker-agent
  namespace: production  # Repeat for each namespace
rules:
  - apiGroups: [""]
    resources: ["pods", "pods/log", "services", "endpoints",
                "events", "configmaps", "secrets", "nodes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apps"]
    resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: opsworker-agent
  namespace: production
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: opsworker-agent
subjects:
  - kind: ServiceAccount
    name: opsworker-agent
    namespace: opsworker

Create a Role and RoleBinding in each namespace you want the agent to access.

Minimum Required Permissions

For basic investigation functionality, the agent needs at minimum:

Resource	Verbs	Purpose
`pods`	get, list	Discover affected pods
`pods/log`	get	Read container logs
`events`	get, list	Build incident timeline
`services`	get, list	Map service topology
`deployments`	get, list	Check deployment status

Auditing Agent Access

Check what the agent can access:

kubectl auth can-i --list \
  --as=system:serviceaccount:opsworker:opsworker-agent

Check access to a specific namespace:

kubectl auth can-i get pods \
  -n production \
  --as=system:serviceaccount:opsworker:opsworker-agent

Next Steps

Scope — What data the agent reads
Troubleshooting Data Collection — Fix RBAC-related issues

Overview​

Default Permissions​

Namespace-Scoped Access​

Minimum Required Permissions​

Auditing Agent Access​

Next Steps​