The permissions a given user will have in a given namespace in all clusters in a given account
depend on their configuration in gds-trusted-developers. Specifically, the
roles they have.
A gds-trusted-developer may be configured as a cluster admin in all clusters
in an account. The cluster admin permissions should be used only during periods
where it is strictly necessary (such as during an incident) and should be
surrendered immediately following the return to normal service.
To configure a user as a cluster admin:
roles:
- account: verify
role: admin
An "operator" in a namespace has an elevated set of permissions to accelerate
the feedback cycle of development for a tenant. For example they are able to
create arbitrary, namespace-scoped resources using kubectl, read secrets, and
view or edit pipelines. To elevate a gds-trusted-developer to an "operator" in
a given namespace:
roles:
- account: verify
role: operator
namespace: verify-my-dev-namespace
All gds-trusted-developers in a given account are given "auditor" access to
all clusters in the account. This gives basic read access to the whole cluster (except for some
sensitive resources such as secrets).
To configure an "auditor":
roles:
- account: verify
role: auditor