Tenant RBAC enhancement

[venkatesh-mb]

Is there any example that we can extend tenant role bindings to apply cluster level?

We have a use case where my ingress controller have some cluster level roles and bindings which are not possible to apply with existing tenant role bindings.

Can you suggest how can we go with this issue?

[stefanprodan]

Place the ingress controller Flux HelmRelease or Flux Kustomization in the flux-system namespace and set the service account to either helm-controller or kustomize-controller. Or you could create a dedicated tenant for cluster admins, where you would modify the RoleBinding to be a ClusterRoleBinding.

[venkatesh-mb]

Thanks @stefanprodan . We have followed the same way for deploying cluster level tools. But we have some other applications which we want to go with tenant level. Yes, i am thinking of creating a new tenant create new service account but i am having difficulty what set of RBAC we should give it that tenant to have access to apply changes at cluster role.

[stefanprodan]

As I said change the RoleBinding into a ClusterRoleBinding here https://github.com/fluxcd/flux2-multi-tenancy/blob/main/tenants/base/dev-team/rbac.yaml#L20