Kubernetes resource requirements
Custom Resource Definitions (CRDs)
The cluster level permissions required by D3E are significantly reduced from the open source Dapr project due to the ability to specify application namespaces. However, the distribution contains five Namespaced Custom Resource Definitions (CRDs) and thus only accessible to Dapr applications in the same namespace. The CRDs are identical to open source Dapr and are listed below:
- components.dapr.io
- configurations.dapr.io
- httpendpoints.dapr.io
- resiliencies.dapr.io
- subscriptions.dapr.io: D3E does not support subscription resources with API version v1alpha1, so ensure your Subscription objects conform to the
v2alpha1specification.
As a best practice, Dapr resource specifications should always be scoped to only specific applications within the namespace that require access. Reference documentation here.
For example, to only allow access to a Redis state Component from app1 and app2 in the production namespace, configure the following scopes.
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: statestore
namespace: production
spec:
type: state.redis
version: v1
metadata:
- name: redisHost
value: redis-master:6379
scopes:
- app1
- app2
Dapr ClusterRoles
The cluster level permissions required by D3E are significantly reduced from the open source Dapr project due to the ability to specify application namespaces. However, the following ClusterRoles are still required for the distribution to function in most cases. To remove all required Dapr ClusterRoles, read Option 4: D3E without ClusterRoles using the Diagrid Dapr Injector Helm chart.
- ClusterRole:
{{.Release.Namespace}}-dapr-injector-mutating-patcher
- Handles trust anchor certificate updates.
- Manages sidecar injection configuration.
- When deployed with D3E namespace isolation, the Injector ClusterRole is patched with the namespace where sidecars can be injected.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
meta.helm.sh/release-name: dapr
meta.helm.sh/release-namespace: dapr-system
creationTimestamp: "2024-09-11T14:26:42Z"
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: dapr
app.kubernetes.io/part-of: dapr
app.kubernetes.io/version: v1.14.4-diagrid-2
name: {{.Release.Namespace}}-dapr-injector-mutating-patcher
resourceVersion: "3428506"
uid: f93c334a-9c9a-461b-a4b8-7fd1f04c90a5
rules:
- apiGroups:
- admissionregistration.k8s.io
resourceNames:
- {{.Release.Namespace}}-dapr-sidecar-injector
resources:
- mutatingwebhookconfigurations
verbs:
- patch
- ClusterRole:
system:auth-delegator
- Not a custom Dapr ClusterRole but a standard Kubernetes ClusterRole that should already be created in the cluster.
- Enables token authentication against Kubernetes service accounts.
- Requires a custom Dapr ClusterRoleBinding.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2024-07-15T12:07:20Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:auth-delegator
resourceVersion: "87"
uid: 4afef4ad-bc21-43e6-981b-fffd9374f740
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- ClusterRole [Dapr 1.15+]: dapr-scheduler
- A cleanup job that watches the Dapr application namespaces so that if/when they get deleted, the data from scheduler service will be cleaned up accordingly.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-scheduler
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: dapr
app.kubernetes.io/part-of: dapr
app.kubernetes.io/version: v1.14.4
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch"]