Permissions Forma needs

We prioritize transparency and trust as we know that working with remote resources is delicate work in here we outline details of the permissions Forma needs over your resources and why it does.

When working with a remote Kubernetes cluster Forma needs to have certain access to the resources in order to perform tasks on your behalf. 

This saves you a lot of work and time (and headaches!) from having to create disk resources, namespaces, or even higher level components like containers manually.

With this, your experience using Forma becomes into a matter of clicks right after you set your Clusters' Configuration. Here we outline what Forma does, why, and what permissions it needs.

Why we recommend you create a new cluster for your blockchain components

  • A Blockchain Network needs some special settings related to ports, disks, and so on, that you may not want for the rest of your components, so isolating them is the best you can do.
  • Forma needs to have control over resources in the cluster (from global resources <namespaces> to specific resources <containers>) and just using namespaces on existing clusters is not enough to effectively isolate Forma's access.
  • Forma manages ports and routes components from multiple clusters - therefore if you occupy a port that Forma expects to use, it will break.

What resources does Forma manage?

  • Namespaces (to isolate organization components). I.e.: having components connected to two networks reside in the same cluster without colliding.
  • StorageClass and PVC.
  • Pods, Statefulsets, and Services.

How does Forma get its access

We try to make Forma as unintrusive as possible, so providing a service account that is created and managed on your cluster is the approach it takes. Therefore if anything happens you can always revoke access.

The other way that Forma has access to your cluster (with fewer permissions) is through a Client container that allows it to manage disk-related tasks - such as copying files, scripts, etc. This container helps to make communication easier.

Forma gets most of its access to your cluster through a Service Account created on each of your clusters. This is a task performed in the tutorials through a script - this script creates:

  • A service account called forma-proxy and a service-account-token
    • The Service Account has a cluster role cluster-admin

Forma never gets access to resources outside of that cluster - you can triple check it by exploring the Service Account creation script and reviewing your account permissions.

Revoking permissions

In the unlikely event that you want to prevent Forma from accessing your resources, you can remove the Service Account called forma-proxy. You can also remove the container called Client on each of your namespaces.

This will prevent Forma from accessing your network, it will continue to work however tasks like self-recovering, monitoring, and operational tasks such as creating resources (networks, ledgers, smart contracts) and anything using the User Interface will stop working.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us