diff --git a/modules/ROOT/pages/getting-started.adoc b/modules/ROOT/pages/getting-started.adoc index 461e33bd..7d3c69d6 100644 --- a/modules/ROOT/pages/getting-started.adoc +++ b/modules/ROOT/pages/getting-started.adoc @@ -12,7 +12,7 @@ provide a foundational mechanism for isolating groups of resources within a sing {ProductName} scopes all the resources and APIs you interact with to namespaces, including your components, applications, snapshots, secrets, and the Tekton PipelineRuns that perform builds, tests, and releases. === Tenant namespace -Tenant namespaces are where Tekton Pipelines produce artifacts that more than one individual can access according to their roles and the permissions defined by link:https://konflux-ci.dev/architecture/ADR/0011-roles-and-permissions.html[those roles]. +Tenant namespaces are where Tekton Pipelines produce artifacts that more than one individual can access according to their roles and the permissions defined by xref:reference:permissions.adoc[those roles]. The tenant namespaces can be either for an individual or a team. //TODO: Document the process for getting access to/creating new namespaces (We should store this information in a seperate file and link to it. It doesn't need to be in this document). diff --git a/modules/ROOT/pages/share-with-community.adoc b/modules/ROOT/pages/share-with-community.adoc index 896ea129..9ff77db9 100644 --- a/modules/ROOT/pages/share-with-community.adoc +++ b/modules/ROOT/pages/share-with-community.adoc @@ -2,7 +2,7 @@ As a tenant admin, you may want to give visibility on your project to the Konflux users outside your team. -For this purpose, Konflux allows you to bind the `system:authenticated` group to the link:https://konflux-ci.dev/architecture/ADR/0011-roles-and-permissions.html[konflux-viewer-user-actions Role]. +For this purpose, Konflux allows you to bind the `system:authenticated` group to the xref:reference:permissions.adoc[konflux-viewer-user-actions Role]. As a result, each authenticated user in Konflux will be allowed to view your Tenant namespace and its resources from CLI and UI. include::partial${context}-share-community-first-paragraph.adoc[] diff --git a/modules/glossary/pages/index.adoc b/modules/glossary/pages/index.adoc index b2b4f71f..bf189da5 100644 --- a/modules/glossary/pages/index.adoc +++ b/modules/glossary/pages/index.adoc @@ -68,4 +68,4 @@ [[tekton-results]]Tekton results:: A mechanism that stores PipelineRun and TaskRun metadata in a separate database and underlying pod logs in cloud storage. After this metadata is stored in a separate database, the original resources are removed from the cluster. -[[tenant-namespace]]tenant namespace:: A Kubernetes namespace which is owned by either an individual or a group of individuals. All Tekton Pipelines are run within a tenant namespace including build, test, and release pipelines. Access can be granted to individuals in link:https://konflux-ci.dev/architecture/ADR/0011-roles-and-permissions.html[three tiers], `Viewer`, `Contributor`, `Maintainer`, and `Admin`. \ No newline at end of file +[[tenant-namespace]]tenant namespace:: A Kubernetes namespace which is owned by either an individual or a group of individuals. All Tekton Pipelines are run within a tenant namespace including build, test, and release pipelines. Access can be granted to individuals in xref:reference:permissions.adoc[four tiers], `Viewer`, `Contributor`, `Maintainer`, and `Admin`. \ No newline at end of file diff --git a/modules/reference/nav.adoc b/modules/reference/nav.adoc index 6c4aa2e1..76e3f9ee 100644 --- a/modules/reference/nav.adoc +++ b/modules/reference/nav.adoc @@ -1,5 +1,6 @@ * xref:index.adoc[Reference] ** xref:sample-repositories.adoc[Sample repositories] +** xref:permissions.adoc[Roles and permissions] ** xref:kube-apis/index.adoc[Konflux Kubernetes APIs] *** xref:kube-apis/application-api.adoc#k8s-api-github-com-konflux-ci-application-api-api-v1alpha1-application[Application] *** xref:kube-apis/application-api.adoc#k8s-api-github-com-konflux-ci-application-api-api-v1alpha1-component[Component] diff --git a/modules/reference/pages/permissions.adoc b/modules/reference/pages/permissions.adoc new file mode 100644 index 00000000..fe6df922 --- /dev/null +++ b/modules/reference/pages/permissions.adoc @@ -0,0 +1,338 @@ += Roles and Permissions for Konflux + +Konflux uses Kubernetes for managing user roles and permissions. Leveraging the Kubernetes RBAC system enhances the testability of Konflux, including enabling the well-documented and widely-used Kubernetes APIs for testing and validation. User roles are mapped to specific permissions in the Kubernetes RBAC system in terms of API groups, verbs, and resources. + +The following are the Konflux user roles: + +* *Viewer:* Members who are mainly interested in CI results. + +* *Contributor:* Members who interact with the workspace mostly through +pull requests. + +* *Maintainer:* Members who manage the workspace without +access to sensitive or destructive actions. + +* *Admin:* Members who have full access to the workspace including sensitive and potentially destruction actions. + + +This section contains the following: + +* Table listing available roles and permissions +* Procedures on how to configure Konflux's roles and permissions + +== Roles and permissions table + +The roles and permissions table lists: + +* Roles +* Permissions +* API Groups +* Verbs +* Resources + + +[cols=",,,,",options="header",] +|=== +|Role |Permissions |API Groups |Verbs |Resources +|Viewer |Workspace |Access to namespaces that backs workspace | | + +| |Application |appstudio.redhat.com |get, list, watch |applications + +| |Component |appstudio.redhat.com |get, list, watch |components, +componentdetectionqueries + +| |ImageRepository |appstudio.redhat.com |get, list, watch +|imagerepositories + +| |Environment |appstudio.redhat.com |get, list, watch |promotionruns, +snapshotenvironmentbindings, snapshots, environments + +| |DeploymentTarget |appstudio.redhat.com |get, list, watch +|deploymenttargets + +| |DeploymentTargetClaim |appstudio.redhat.com |get, list, watch +|deploymenttargetclaims + +| |_GitOps_ |managed-gitops.redhat.com |get, list, watch +|gitopsdeployments, gitopsdeploymentmanagedenvironments, +gitopsdeploymentrepositorycredentials, gitopsdeploymentsyncruns + +| |PipelineRun |tekton.dev |get, list, watch |pipelineruns + +| |Pipeline Results |results.tekton.dev |get, list |results, records, +logs + +| |IntegrationTestScenario |appstudio.redhat.com |get, list, watch +|integrationtestscenarios + +| |Enterprise contract |appstudio.redhat.com |get, list, watch +|enterprisecontractpolicies + +| |_Release Service_ |appstudio.redhat.com |get, list, watch |releases, +releaseplans, releaseplanadmissions + +| |_JVM Build Service_ |jvmbuildservice.io |get, list, watch +|jbsconfigs, artifactbuilds + +| |_Service Access_ |appstudio.redhat.com |get, list, watch +|spiaccesstokenbindings, spiaccesschecks, spiaccesstokens, +spifilecontentrequests + +| |_Remote Secrets_ |appstudio.redhat.com |get, list, watch +|remotesecrets + +| |Build Service |appstudio.redhat.com |get, list, watch +|buildpipelineselectors + +| |Project Controller |projctl.konflux.dev |get, list, watch |projects, +projectdevelopmentstreams, projectdevelopmentstreamtemplates + +| |_Configs_ ||get, list, watch |configmaps + +| |_Secrets_ | | |secrets + +| |Add User | | | + +| |User group (with SSO) | | | + +| |CronJob |batch |get, list, watch |cronjobs, jobs + +|Contributor |Workspace |Access to namespaces that backs workspace | | + +| |Application |appstudio.redhat.com |get, list, watch |applications + +| |Component |appstudio.redhat.com |get, list, watch |components, +componentdetectionqueries + +| |ImageRepository |appstudio.redhat.com |get, list, watch +|imagerepositories + +| |Environment |appstudio.redhat.com |get, list, watch |promotionruns, +snapshotenvironmentbindings, snapshots, environments + +| |DeploymentTarget |appstudio.redhat.com |get, list, watch +|deploymenttargets + +| |DeploymentTargetClaim |appstudio.redhat.com |get, list, watch +|deploymenttargetclaims + +| |_GitOps_ |managed-gitops.redhat.com |get, list, watch +|gitopsdeployments, gitopsdeploymentmanagedenvironments, +gitopsdeploymentrepositorycredentials, gitopsdeploymentsyncruns + +| |PipelineRun |tekton.dev |get, list, watch |pipelineruns + +| |Pipeline Results |results.tekton.dev |get, list |results, records, +logs + +| |IntegrationTestScenario |appstudio.redhat.com |get, list, watch +|integrationtestscenarios + +| |Enterprise contract |appstudio.redhat.com |get, list, watch +|enterprisecontractpolicies + +| |_Release Service_ |appstudio.redhat.com |get, list, watch |releases, +releaseplans, releaseplanadmissions + +| |_JVM Build Service_ |jvmbuildservice.io |get, list, watch +|jbsconfigs, artifactbuilds + +| |_Service Access_ |appstudio.redhat.com |get, list, watch +|spiaccesstokenbindings, spiaccesschecks, spiaccesstokens, +spifilecontentrequests + +| |_Remote Secrets_ |appstudio.redhat.com |get, list, watch +|remotesecrets + +| |Build Service |appstudio.redhat.com |get, list, watch +|buildpipelineselectors + +| |Project Controller |projctl.konflux.dev |get, list, watch |projects, +projectdevelopmentstreams, projectdevelopmentstreamtemplates + +| |_Configs_ | |get, list, watch |configmaps + +| |_Secrets_ | | |secrets + +| |Pulp Access Controller |pulp.konflux-ci.dev |get, list, watch +|pulpaccessrequests + +| |Add User | | | + +| |User group (with SSO) | | | + +|  |CronJob |batch |get, list, watch |cronjobs, jobs + +|  |RoleBinding |rbac.authorization.k8s.io |get, list |rolebindings + +|Maintainer |Workspace |Access to namespaces that backs workspace |  |  + +|  |Application |appstudio.redhat.com |get, list, watch, create, update, +patch |applications, snapshots + +|  |Component |appstudio.redhat.com |get, list, watch, create, update, +patch |components, componentdetectionqueries + +|  |ImageRepository |appstudio.redhat.com |get, list, watch, create, +update, patch |imagerepositories + +|  |Environment |appstudio.redhat.com |get, list, watch |promotionruns, +snapshotenvironmentbindings, environments + +|  |DeploymentTarget |appstudio.redhat.com |get, list, watch +|deploymenttargets + +|  |DeploymentTargetClaim |appstudio.redhat.com |get, list, watch +|deploymenttargetclaims + +|  |_GitOps_ |managed-gitops.redhat.com |get, list, watch +|gitopsdeployments, gitopsdeploymentmanagedenvironments, +gitopsdeploymentrepositorycredentials, gitopsdeploymentsyncruns + +|  |PipelineRun |tekton.dev |get, list, watch |pipelineruns + +|  |Pipeline Results |results.tekton.dev |get, list |results, records, +logs + +|  |IntegrationTestScenario |appstudio.redhat.com |get, list, watch, +create, update, patch, delete |integrationtestscenarios + +|  |Enterprise contract |appstudio.redhat.com |get, list, watch +|enterprisecontractpolicies + +|  |_Release Service_ |appstudio.redhat.com |get, list, watch, create, +update, patch, delete |releases, releaseplans, releaseplanadmissions + +|  |_JVM Build Service_ |jvmbuildservice.io |get, list, watch, create, +update, patch |jbsconfigs, artifactbuilds + +|  |_Service Access_ |appstudio.redhat.com |get, list, watch, create, +update, patch |spiaccesstokenbindings, spiaccesschecks, spiaccesstokens, +spifilecontentrequests, spiaccesstokendataupdates + +|  |_Remote Secrets_ |appstudio.redhat.com |get, list, watch +|remotesecrets + +|  |Build Service |appstudio.redhat.com |get, list, watch, create +|buildpipelineselectors + +|  |Project Controller |projctl.konflux.dev |get, list, watch, create, +update, patch |projects, projectdevelopmentstreams, +projectdevelopmentstreamtemplates + +|  |_Configs_ |  |get, list, watch |configmaps + +|  |_Secrets_ |  |  |secrets + +|  |Pulp Access Controller |pulp.konflux-ci.dev |get, list, watch, +create, update, patch |pulpaccessrequests + +|  |Add User |  |  |  + +|  |User group (with SSO) |  |  |  + +|  |CronJob |batch |get, list, watch, create, update, patch |cronjobs, +jobs + +|  |RoleBinding |rbac.authorization.k8s.io |get, list |rolebindings + +|Admin |Workspace |Access to namespaces that backs workspace |  |  + +|  |Application |appstudio.redhat.com |get, list, watch, create, update, +patch, delete, deletecollection |applications + +|  |Component |appstudio.redhat.com |get, list, watch, create, update, +patch, delete, deletecollection |components, componentdetectionqueries + +|  |ImageRepository |appstudio.redhat.com |get, list, watch, create, +update, patch, delete, deletecollection |imagerepositories + +|  |Environment |appstudio.redhat.com |get, list, watch, create, update, +patch, delete |promotionruns, snapshotenvironmentbindings, snapshots, +environments + +|  |DeploymentTarget |appstudio.redhat.com |get, list, watch, create, +update, patch, delete |deploymenttargets + +|  |DeploymentTargetClaim |appstudio.redhat.com |get, list, watch, +create, update, patch, delete |deploymenttargetclaims + +|  |_GitOps_ |managed-gitops.redhat.com |get, list, watch +|gitopsdeployments, gitopsdeploymentmanagedenvironments, +gitopsdeploymentrepositorycredentials, gitopsdeploymentsyncruns + +|  |PipelineRun |tekton.dev |get, list, watch, create, update, patch, +delete |pipelineruns + +|  |Pipeline Results |results.tekton.dev |get, list |results, records, +logs + +|  |IntegrationTestScenario |appstudio.redhat.com |get, list, watch, +create, update, patch, delete |integrationtestscenarios + +|  |Enterprise contract |appstudio.redhat.com |get, list, watch, create, +update, patch, delete |enterprisecontractpolicies + +|  |_Release Service_ |appstudio.redhat.com |get, list, watch, create, +update, patch, delete |releases, releaseplans, releaseplanadmissions + +|  |Release Admission Plan |appstudio.redhat.com |get, list, watch, +create, update, patch, delete |releaseplanadmissions + +|  |_JVM Build Service_ |jvmbuildservice.io |get, list, watch, create, +update, patch, delete |jbsconfigs, artifactbuilds + +|  |_Service Access_ |appstudio.redhat.com |get, list, watch, create, +update, patch, delete |spiaccesstokenbindings, spiaccesschecks, +spiaccesstokens,spifilecontentrequests, spiaccesstokendataupdates + +|  |_Remote Secrets_ |appstudio.redhat.com |get, list, watch, create, +update, patch, delete |remotesecrets + +|  |Build Service |appstudio.redhat.com |get, list, watch, create, +update, patch, delete |buildpipelineselectors + +|  |Project Controller |projctl.konflux.dev |get, list, watch, create, +update, patch, delete |projects, projectdevelopmentstreams, +projectdevelopmentstreamtemplates + +|  |_Configs_ |  |get, list, watch, create, update, patch, delete +|configmaps + +|  |_Secrets_ |  |get, list, watch, create, update, patch, delete +|secrets + +|  |_Exec to pods_ |  |create |pods/exec + +|  |Pulp Access Controller |pulp.konflux-ci.dev |get, list, watch, +create, update, patch |pulpaccessrequests + +|  |SpaceBindingRequest |toolchain.dev.openshift.com |get, list, watch, +create, update, patch, delete |spacebindingrequests + +|  |Add User |  |  |  + +|  |User group (with SSO) |  |  |  + +|  |CronJob |batch |get, list, watch, create, update, patch, delete +|cronjobs, jobs + +|  |RoleBinding |rbac.authorization.k8s.io |get, list, create, update, +patch, delete |rolebindings, roles + +|  |ServiceAccount |  |get, list, create, update, patch, delete +|serviceaccounts + +| |Token | |create |serviceaccounts/token +|=== + +== Configuring user roles and permissions for Konflux + +To configure roles and permissions in Konflux, you configure two yaml files using the information in the roles and permissions table. + +Model your yaml files according to these example yaml files: + +* link:https://github.com/konflux-ci/konflux-ci/blob/main/konflux-ci/rbac/core/kustomization.yaml[Kustomization] + +* link:https://github.com/konflux-ci/konflux-ci/blob/main/konflux-ci/rbac/core/konflux-admin-user-actions.yaml[Admin] +