KOTS: Existing Cluster: Conditionally Specify Minimal RBAC

Is there a way to pass requireMinimalRBACPrivileges through the kots install command so it’s only used for particular clients? It seems setting this globally in application.yaml affects all clients and removes snapshotting by default, impairs preflights etc, but typically we would only need it in a restricted environment like Openshift.

Is it possible to define this on a per-installation basis?

EDIT - Thanks to @bco for pointing out that --use-minimal-rbac is supported as as install time command to kots install as of KOTS version 1.68.0 (App must have supportMinimalRBACPrvileges set)

In the case where minimal RBAC is used:

  • Preflights can be run manually by the installing user (prompt in the UI)
  • Snapshots can be enabled after the fact with
kubectl kots velero ensure-permissions \
  --velero-namespace velero \
  -n <namespace of kotsadm>

Overall we believe that minimizing RBAC scope for the KOTS installation is a best practice, even when the environment does not necessarily require it. We will continue to improve the UX here around doing things that require higher permissions when the KOTS in-cluster components aren’t able to do these things independently

I think this answer is out of date now with the --use-minimal-rbac feature.

1 Like