Understanding ClusterRoles, ClusterRoleBindings, and ServiceAccounts in Flexera's Kubernetes Agents

FlexNet Manager Suite 2024 R2 (On-Premises)

ClusterRoles

A ClusterRole defines a set of permissions comprising of Kubernetes verbs, such as get, list, watch, create, delete and patch, that apply to resources across the entire cluster, not limited to any namespace. For example, a ClusterRole can allow get, list, and watch permissions for nodes, enabling monitoring of cluster nodes.

ServiceAccounts

A ServiceAccount is the identity used by a pod to interact with the Kubernetes API. The actions a ServiceAccount can perform are specified through a ClusterRole and a ClusterRoleBinding. This setup ensures only the pod linked to the ServiceAccount can execute the actions allowed by the ClusterRole.

Binding cluster-wide permissions to the Flexera namespace

The Flexera namespace is a Kubernetes namespace for deploying and managing Flexera agents, including the Lightweight Kubernetes Inventory Agent (LWK) and the Full Kubernetes Inventory Agent (KRM). It provides a logical grouping of resources, improving manageability, security, and resource isolation.

ClusterRoles provide cluster-wide permissions, while ClusterRoleBindings restrict these to specific ServiceAccounts and their pods in the Flexera namespace, ensuring agents can monitor resources across namespaces while preventing misuse by other workloads.

This approach follows the principle of least privilege, ensuring only Flexera agents can use their ClusterRoles, minimizing the risk of privilege escalation from other workloads or harmful pods.

Example: Securing Access to Nodes—This example highlights the LWK agent, which needs read-only access to nodes for inventory collection. The steps to ensure secure access are:

  1. Create a ClusterRole named flexera-lwk to grant get, list, and watch permissions for nodes, namespaces, and pods.
  2. Bind this ClusterRole to the lwk ServiceAccount in the Flexera namespace via a ClusterRoleBinding.
  3. Only the LWK agent pod under the lwk ServiceAccount can access the nodes resource, restricting access for other workloads, even in the Flexera namespace.

This setup ensures permissions are strictly controlled, preventing misuse by unauthorized workloads.

Summary

Linking cluster-wide permissions to designated ServiceAccounts in the Flexera namespace allows Flexera agents to securely manage resources across the cluster. This balances broad access with stringent control, ensuring operational functionality and robust security.

FlexNet Manager Suite (On-Premises)

2024 R2