Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: manage role-permission #21

Open
chintansakhiya opened this issue Jan 1, 2025 · 1 comment
Open

doc: manage role-permission #21

chintansakhiya opened this issue Jan 1, 2025 · 1 comment
Assignees
@chintansakhiya
Labels
documentation Improvements or additions to documentation

Comments

@chintansakhiya
Copy link
Member

chintansakhiya commented Jan 1, 2025
edited
Loading

Roles and Permissions

Each cluster includes four default roles, each defining specific permission rules for users.

1. devops

Permission Rules:

rules:  
  - apiGroups: ["*"]  
    resources: ["*"]  
    verbs: ["*"]

2. developer

Permission Rules:

rules:  
  - apiGroups: ["*"]  
    resources: ["pods","pods/log"] 
    verbs: ["list", "watch", "get"]

3. watcher

Permission Rules:

rules:  
  - apiGroups: ["*"]  
    resources: ["*"]
    verbs: ["list", "watch", "get"]

4. developer-portforward

Permission Rules:

rules:  
  - apiGroups: ["*"]  
    resources: ["pods","pods/log","pods/exec","pods/portforward"]
    verbs: ["list", "watch", "get"]

Assigning Namespace-Specific Access

To grant a user access to a specific namespace in cluster, follow this role/group naming format:
<cluster-name>:<role>:<namespace>. The admin must assign this role/group to the user in Keycloak.

Explanation:

  • This format allows administrators to grant namespace-specific access using predefined roles.
  • By leveraging roles, administrators can control and limit access to specific resources and operations within a namespace.
  • Implementation involves creating Role and RoleBinding objects.

Resource Count:

The total number of Roles and RoleBindings in each cluster equals:
4 (roles) × n (namespaces)

Assigning Cluster-Wide Access

To grant a user access to an app namespace in cluster, follow this role/group naming format:
<cluster-name>:<role> The admin must assign this role/group to the user in Keycloak.

Explanation:

  • This format allows administrators to grant access to all namespaces using predefined roles.
  • By using roles, administrators can enforce specific access restrictions cluster-wide.
  • Implementation involves creating ClusterRole and ClusterRoleBinding objects.

Resource Count:

The total number of ClusterRoles and ClusterRoleBindings in each cluster equals:
4 (roles)
@chintansakhiya chintansakhiya changed the title manage role-permission doc: manage role-permission Jan 2, 2025
This was referenced Jan 6, 2025
Closed
Merged
@chintansakhiya chintansakhiya added the documentation Improvements or additions to documentation label Jan 10, 2025
@chintansakhiya chintansakhiya self-assigned this Jan 10, 2025
@shivani446
Copy link

shivani446 commented Jan 31, 2025
edited
Loading

I would like to request one change in the developer port-forward role
Here in the role pod/exec is included but genereally we do not give the exec role to developers
I want to assign the port-forward role to one of the developer but It also includes the exec permission
So can we remove pod/exec for the same ?
@chintansakhiya @munir131

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chintansakhiya chintansakhiya

Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shivani446 @chintansakhiya