Setting service accounts and role-based access control on Kubernetes

For db2u instances deployed on a Kubernetes cluster version 1.25 and later, users need to apply Pod Security Admission (PSA) labels to their dedicated working namespaces rather than PodSecurityPolicy (PSP).

kubectl label ns <db2u-namespace> pod-security.kubernetes.io/enforce=privileged

kubectl get ns --show-labels

1. Apply restricted RBAC using customized SA: To apply a specific RBAC, you need to customize your SA, Role Policy, and role-binding. You do not have to specify your own SA, the Db2 Operator will automatically generate the SA and assign default resource accessibility.
2. Set SERVICE_ACCOUNT to the name of the service account that you want to use:

   export SERVICE_ACCOUNT=<sa-name>

3. Set ROLEBINDING_NAMEto the name of the role-binding that will be used to bind the service account:

   export ROLEBINDING_NAME=<rolebinding-name>

4. Set PROJECT_NAMESPACE to the project namespace in which the Db2 service is installed:

   export PROJECT_NAMESPACE=<namespace>

5. Create your customized SA:

   cat <<EOF | kubectl apply -f -
   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: ${SERVICE_ACCOUNT}
     namespace: ${PROJECT_NAMESPACE}
   EOF

6. Create the Roles. The following role settings are the minimum requirements for Db2 to fully function.

   cat <<EOF | kubectl apply -f -
   apiVersion: rbac.authorization.k8s.io/v1
   kind: Role
   metadata:
     name: ${ROLE_NAME}
     namespace: ${PROJECT_NAMESPACE}
   rules:
   - apiGroups:
     - ""
     resources:
     - endpoints
     - pods
     verbs:
     - get
     - patch
     - update
   - apiGroups:
     - apps
     resources:
     - statefulsets
     - deployments
     - replicasets
     verbs:
     - get
     - list
   - apiGroups:
     - ""
     resources:
     - configmaps
     verbs:
     - get
     - patch
     - watch
     - list
     - update
   - apiGroups:
     - ""
     resources:
     - secrets
     verbs:
     - get
     - create
     - update
   - apiGroups:
     - db2u.databases.ibm.com
     resources:
     - recipes
     verbs:
     - watch
     - get
     - update
     - create
     - patch
     - list
     - delete
   - apiGroups:
     - db2u.databases.ibm.com
     resources:
     - buckets
     verbs:
     - patch
   - apiGroups:
     - db2u.databases.ibm.com
     resources:
     - backups
     verbs:
     - patch
     - delete
     - list
   - apiGroups:
     - db2u.databases.ibm.com
     resources:
     - formations
     verbs:
     - get
   - apiGroups:
     - ""
     resources:
     - pods/exec
     verbs:
     - create
   - apiGroups:
     - ""
     resources:
     - pods
     verbs:
     - watch
     - list
     - get
   - apiGroups:
     - ""
     resources:
     - services
     verbs:
     - watch
     - list
     - get
   EOF

7. Create role-binding with the SA and Role:

   cat <<EOF | kubectl apply -f -
   apiVersion: rbac.authorization.k8s.io/v1
   kind: RoleBinding
   metadata:
     name: ${ROLEBINDING_NAME}
     namespace: ${PROJECT_NAMESPACE}
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: Role
     name: ${ROLE_NAME}
   subjects:
   - kind: ServiceAccount
     name: ${SERVICE_ACCOUNT}
     namespace: ${PROJECT_NAMESPACE}
   EOF

8. Deploy the instance with the predefined SA:

   apiVersion: db2u.databases.ibm.com/v1
   kind: Db2uCluster
   metadata:
     name: db2-test
     namespace: ${PROJECT_NAMESPACE}
   spec:
     size: 1
     account: 
       serviceAccountName: ${SERVICE_ACCOUNT}
   ...