From d705b52540cfd8b2254b9adbcdb5e3bff42b242c Mon Sep 17 00:00:00 2001 From: pcelmer Date: Tue, 30 Sep 2025 22:49:14 -0400 Subject: [PATCH 1/3] Add roles and permissions table and configuration instructions. --- modules/ROOT/pages/getting-started.adoc | 2 +- modules/ROOT/pages/share-with-community.adoc | 2 +- modules/glossary/pages/index.adoc | 2 +- modules/reference/pages/permissions.adoc | 352 +++++++++++++++++++ 4 files changed, 355 insertions(+), 3 deletions(-) create mode 100644 modules/reference/pages/permissions.adoc diff --git a/modules/ROOT/pages/getting-started.adoc b/modules/ROOT/pages/getting-started.adoc index 461e33bd..7d3c69d6 100644 --- a/modules/ROOT/pages/getting-started.adoc +++ b/modules/ROOT/pages/getting-started.adoc @@ -12,7 +12,7 @@ provide a foundational mechanism for isolating groups of resources within a sing {ProductName} scopes all the resources and APIs you interact with to namespaces, including your components, applications, snapshots, secrets, and the Tekton PipelineRuns that perform builds, tests, and releases. === Tenant namespace -Tenant namespaces are where Tekton Pipelines produce artifacts that more than one individual can access according to their roles and the permissions defined by link:https://konflux-ci.dev/architecture/ADR/0011-roles-and-permissions.html[those roles]. +Tenant namespaces are where Tekton Pipelines produce artifacts that more than one individual can access according to their roles and the permissions defined by xref:reference:permissions.adoc[those roles]. The tenant namespaces can be either for an individual or a team. //TODO: Document the process for getting access to/creating new namespaces (We should store this information in a seperate file and link to it. It doesn't need to be in this document). diff --git a/modules/ROOT/pages/share-with-community.adoc b/modules/ROOT/pages/share-with-community.adoc index 896ea129..9ff77db9 100644 --- a/modules/ROOT/pages/share-with-community.adoc +++ b/modules/ROOT/pages/share-with-community.adoc @@ -2,7 +2,7 @@ As a tenant admin, you may want to give visibility on your project to the Konflux users outside your team. -For this purpose, Konflux allows you to bind the `system:authenticated` group to the link:https://konflux-ci.dev/architecture/ADR/0011-roles-and-permissions.html[konflux-viewer-user-actions Role]. +For this purpose, Konflux allows you to bind the `system:authenticated` group to the xref:reference:permissions.adoc[konflux-viewer-user-actions Role]. As a result, each authenticated user in Konflux will be allowed to view your Tenant namespace and its resources from CLI and UI. include::partial${context}-share-community-first-paragraph.adoc[] diff --git a/modules/glossary/pages/index.adoc b/modules/glossary/pages/index.adoc index b2b4f71f..bf189da5 100644 --- a/modules/glossary/pages/index.adoc +++ b/modules/glossary/pages/index.adoc @@ -68,4 +68,4 @@ [[tekton-results]]Tekton results:: A mechanism that stores PipelineRun and TaskRun metadata in a separate database and underlying pod logs in cloud storage. After this metadata is stored in a separate database, the original resources are removed from the cluster. -[[tenant-namespace]]tenant namespace:: A Kubernetes namespace which is owned by either an individual or a group of individuals. All Tekton Pipelines are run within a tenant namespace including build, test, and release pipelines. Access can be granted to individuals in link:https://konflux-ci.dev/architecture/ADR/0011-roles-and-permissions.html[three tiers], `Viewer`, `Contributor`, `Maintainer`, and `Admin`. \ No newline at end of file +[[tenant-namespace]]tenant namespace:: A Kubernetes namespace which is owned by either an individual or a group of individuals. All Tekton Pipelines are run within a tenant namespace including build, test, and release pipelines. Access can be granted to individuals in xref:reference:permissions.adoc[four tiers], `Viewer`, `Contributor`, `Maintainer`, and `Admin`. \ No newline at end of file diff --git a/modules/reference/pages/permissions.adoc b/modules/reference/pages/permissions.adoc new file mode 100644 index 00000000..64cb4647 --- /dev/null +++ b/modules/reference/pages/permissions.adoc @@ -0,0 +1,352 @@ += Roles and Permissions for Konflux + +Konflux uses Kubernetes for managing user permissions and roles. Roles are mapped to specific permissions in the Kubernetes RBAC system, in terms of API groups, verbs, and resources. + +Leveraging the Kubernetes RBAC system enhances the +testability of Konflux, including the ability to use the well-documented and widely-used Kubernetes APIs for testing and validation. + +The following are the Konflux user roles: + +* *Viewer:* Members who are mainly interested in CI results. + +* *Contributor:* Members who interact with the workspace mostly through +pull requests. + +* *Maintainer:* Members who manage the workspace without +access to sensitive or destructive actions. + +* *Admin:* Members who have full access to the workspace including sensitive and potentially destruction actions. + +== Configuring Roles and Permissions for Konflux +To configure roles and permissions in Konflux, you use two yaml files. + + +Model your yaml files according to xref:xxxxxxxx[these example files]. + +== Roles and Permissions Table + +The following table lists: + +* Roles +* Permissions +* API Groups +* Verbs +* Resources + + +[cols=",,,,",options="header",] +|=== +|Role |Permissions |API Groups |Verbs |Resources +|Viewer |Workspace |Access to namespaces that backs workspace | | + +| |Application |appstudio.redhat.com |get, list, watch |applications + +| |Component |appstudio.redhat.com |get, list, watch |components, +componentdetectionqueries + +| |ImageRepository |appstudio.redhat.com |get, list, watch +|imagerepositories + +| |Environment |appstudio.redhat.com |get, list, watch |promotionruns, +snapshotenvironmentbindings, snapshots, environments + +| |DeploymentTarget |appstudio.redhat.com |get, list, watch +|deploymenttargets + +| |DeploymentTargetClaim |appstudio.redhat.com |get, list, watch +|deploymenttargetclaims + +| |_GitOps_ |managed-gitops.redhat.com |get, list, watch +|gitopsdeployments, gitopsdeploymentmanagedenvironments, +gitopsdeploymentrepositorycredentials, gitopsdeploymentsyncruns + +|  |PipelineRun |tekton.dev |get, list, watch |pipelineruns + +|  |Pipeline Results |results.tekton.dev |get, list |results, records, +logs + +|  |IntegrationTestScenario |appstudio.redhat.com |get, list, watch +|integrationtestscenarios + +|  |Enterprise contract |appstudio.redhat.com |get, list, watch +|enterprisecontractpolicies + +|  |_Release Service_ |appstudio.redhat.com |get, list, watch |releases, +releaseplans, releaseplanadmissions + +|  |_JVM Build Service_ |jvmbuildservice.io |get, list, watch +|jbsconfigs, artifactbuilds + +|  |_Service Access_ |appstudio.redhat.com |get, list, watch +|spiaccesstokenbindings, spiaccesschecks, spiaccesstokens, +spifilecontentrequests + +|  |_Remote Secrets_ |appstudio.redhat.com |get, list, watch +|remotesecrets + +|  |Build Service |appstudio.redhat.com |get, list, watch +|buildpipelineselectors + +|  |Project Controller |projctl.konflux.dev |get, list, watch |projects, +projectdevelopmentstreams, projectdevelopmentstreamtemplates + +|  |_Configs_ |  |get, list, watch |configmaps + +|  |_Secrets_ |  |  |secrets + +|  |Add User |  |  |  + +|  |User group (with SSO) |  |  |  + +|  |CronJob |batch |get, list, watch |cronjobs, jobs + +|Contributor |Workspace |Access to namespaces that backs workspace |  |  + +|  |Application |appstudio.redhat.com |get, list, watch |applications + +|  |Component |appstudio.redhat.com |get, list, watch |components, +componentdetectionqueries + +|  |ImageRepository |appstudio.redhat.com |get, list, watch +|imagerepositories + +|  |Environment |appstudio.redhat.com |get, list, watch |promotionruns, +snapshotenvironmentbindings, snapshots, environments + +|  |DeploymentTarget |appstudio.redhat.com |get, list, watch +|deploymenttargets + +|  |DeploymentTargetClaim |appstudio.redhat.com |get, list, watch +|deploymenttargetclaims + +|  |_GitOps_ |managed-gitops.redhat.com |get, list, watch +|gitopsdeployments, gitopsdeploymentmanagedenvironments, +gitopsdeploymentrepositorycredentials, gitopsdeploymentsyncruns + +|  |PipelineRun |tekton.dev |get, list, watch |pipelineruns + +|  |Pipeline Results |results.tekton.dev |get, list |results, records, +logs + +|  |IntegrationTestScenario |appstudio.redhat.com |get, list, watch +|integrationtestscenarios + +|  |Enterprise contract |appstudio.redhat.com |get, list, watch +|enterprisecontractpolicies + +|  |_Release Service_ |appstudio.redhat.com |get, list, watch |releases, +releaseplans, releaseplanadmissions + +|  |_JVM Build Service_ |jvmbuildservice.io |get, list, watch +|jbsconfigs, artifactbuilds + +|  |_Service Access_ |appstudio.redhat.com |get, list, watch +|spiaccesstokenbindings, spiaccesschecks, spiaccesstokens, +spifilecontentrequests + +|  |_Remote Secrets_ |appstudio.redhat.com |get, list, watch +|remotesecrets + +|  |Build Service |appstudio.redhat.com |get, list, watch +|buildpipelineselectors + +|  |Project Controller |projctl.konflux.dev |get, list, watch |projects, +projectdevelopmentstreams, projectdevelopmentstreamtemplates + +|  |_Configs_ |  |get, list, watch |configmaps + +|  |_Secrets_ |  |  |secrets + +|  |Pulp Access Controller |pulp.konflux-ci.dev |get, list, watch +|pulpaccessrequests + +|  |Add User |  |  |  + +|  |User group (with SSO) |  |  |  + +|  |CronJob |batch |get, list, watch |cronjobs, jobs + +|  |RoleBinding |rbac.authorization.k8s.io |get, list |rolebindings + +|Maintainer |Workspace |Access to namespaces that backs workspace |  |  + +|  |Application |appstudio.redhat.com |get, list, watch, create, update, +patch |applications, snapshots + +|  |Component |appstudio.redhat.com |get, list, watch, create, update, +patch |components, componentdetectionqueries + +|  |ImageRepository |appstudio.redhat.com |get, list, watch, create, +update, patch |imagerepositories + +|  |Environment |appstudio.redhat.com |get, list, watch |promotionruns, +snapshotenvironmentbindings, environments + +|  |DeploymentTarget |appstudio.redhat.com |get, list, watch +|deploymenttargets + +|  |DeploymentTargetClaim |appstudio.redhat.com |get, list, watch +|deploymenttargetclaims + +|  |_GitOps_ |managed-gitops.redhat.com |get, list, watch +|gitopsdeployments, gitopsdeploymentmanagedenvironments, +gitopsdeploymentrepositorycredentials, gitopsdeploymentsyncruns + +|  |PipelineRun |tekton.dev |get, list, watch |pipelineruns + +|  |Pipeline Results |results.tekton.dev |get, list |results, records, +logs + +|  |IntegrationTestScenario |appstudio.redhat.com |get, list, watch, +create, update, patch, delete |integrationtestscenarios + +|  |Enterprise contract |appstudio.redhat.com |get, list, watch +|enterprisecontractpolicies + +|  |_Release Service_ |appstudio.redhat.com |get, list, watch, create, +update, patch, delete |releases, releaseplans, releaseplanadmissions + +|  |_JVM Build Service_ |jvmbuildservice.io |get, list, watch, create, +update, patch |jbsconfigs, artifactbuilds + +|  |_Service Access_ |appstudio.redhat.com |get, list, watch, create, +update, patch |spiaccesstokenbindings, spiaccesschecks, spiaccesstokens, +spifilecontentrequests, spiaccesstokendataupdates + +|  |_Remote Secrets_ |appstudio.redhat.com |get, list, watch +|remotesecrets + +|  |Build Service |appstudio.redhat.com |get, list, watch, create +|buildpipelineselectors + +|  |Project Controller |projctl.konflux.dev |get, list, watch, create, +update, patch |projects, projectdevelopmentstreams, +projectdevelopmentstreamtemplates + +|  |_Configs_ |  |get, list, watch |configmaps + +|  |_Secrets_ |  |  |secrets + +|  |Pulp Access Controller |pulp.konflux-ci.dev |get, list, watch, +create, update, patch |pulpaccessrequests + +|  |Add User |  |  |  + +|  |User group (with SSO) |  |  |  + +|  |CronJob |batch |get, list, watch, create, update, patch |cronjobs, +jobs + +|  |RoleBinding |rbac.authorization.k8s.io |get, list |rolebindings + +|Admin |Workspace |Access to namespaces that backs workspace |  |  + +|  |Application |appstudio.redhat.com |get, list, watch, create, update, +patch, delete, deletecollection |applications + +|  |Component |appstudio.redhat.com |get, list, watch, create, update, +patch, delete, deletecollection |components, componentdetectionqueries + +|  |ImageRepository |appstudio.redhat.com |get, list, watch, create, +update, patch, delete, deletecollection |imagerepositories + +|  |Environment |appstudio.redhat.com |get, list, watch, create, update, +patch, delete |promotionruns, snapshotenvironmentbindings, snapshots, +environments + +|  |DeploymentTarget |appstudio.redhat.com |get, list, watch, create, +update, patch, delete |deploymenttargets + +|  |DeploymentTargetClaim |appstudio.redhat.com |get, list, watch, +create, update, patch, delete |deploymenttargetclaims + +|  |_GitOps_ |managed-gitops.redhat.com |get, list, watch +|gitopsdeployments, gitopsdeploymentmanagedenvironments, +gitopsdeploymentrepositorycredentials, gitopsdeploymentsyncruns + +|  |PipelineRun |tekton.dev |get, list, watch, create, update, patch, +delete |pipelineruns + +|  |Pipeline Results |results.tekton.dev |get, list |results, records, +logs + +|  |IntegrationTestScenario |appstudio.redhat.com |get, list, watch, +create, update, patch, delete |integrationtestscenarios + +|  |Enterprise contract |appstudio.redhat.com |get, list, watch, create, +update, patch, delete |enterprisecontractpolicies + +|  |_Release Service_ |appstudio.redhat.com |get, list, watch, create, +update, patch, delete |releases, releaseplans, releaseplanadmissions + +|  |Release Admission Plan |appstudio.redhat.com |get, list, watch, +create, update, patch, delete |releaseplanadmissions + +|  |_JVM Build Service_ |jvmbuildservice.io |get, list, watch, create, +update, patch, delete |jbsconfigs, artifactbuilds + +|  |_Service Access_ |appstudio.redhat.com |get, list, watch, create, +update, patch, delete |spiaccesstokenbindings, spiaccesschecks, +spiaccesstokens,spifilecontentrequests, spiaccesstokendataupdates + +|  |_Remote Secrets_ |appstudio.redhat.com |get, list, watch, create, +update, patch, delete |remotesecrets + +|  |Build Service |appstudio.redhat.com |get, list, watch, create, +update, patch, delete |buildpipelineselectors + +|  |Project Controller |projctl.konflux.dev |get, list, watch, create, +update, patch, delete |projects, projectdevelopmentstreams, +projectdevelopmentstreamtemplates + +|  |_Configs_ |  |get, list, watch, create, update, patch, delete +|configmaps + +|  |_Secrets_ |  |get, list, watch, create, update, patch, delete +|secrets + +|  |_Exec to pods_ |  |create |pods/exec + +|  |Pulp Access Controller |pulp.konflux-ci.dev |get, list, watch, +create, update, patch |pulpaccessrequests + +|  |SpaceBindingRequest |toolchain.dev.openshift.com |get, list, watch, +create, update, patch, delete |spacebindingrequests + +|  |Add User |  |  |  + +|  |User group (with SSO) |  |  |  + +|  |CronJob |batch |get, list, watch, create, update, patch, delete +|cronjobs, jobs + +|  |RoleBinding |rbac.authorization.k8s.io |get, list, create, update, +patch, delete |rolebindings, roles + +|  |ServiceAccount |  |get, list, create, update, patch, delete +|serviceaccounts + +|  |Token |  |create |serviceaccounts/token +|=== + +=== Consequences + +* This decision will allow us to easily integrate with the Kubernetes +environment and take advantage of its robust and well-tested RBAC +system. + + + +* It will also allow us to assign the appropriate level of permissions +to each role, based on the responsibilities and privileges associated +with each role in our project. + + + +* +* + +Using the built-in Kubernetes RBAC system may require some initial +configuration and setup. + + From fe2162fa21ec0739dcc81b48b7a43ef9c7def19d Mon Sep 17 00:00:00 2001 From: pcelmer Date: Wed, 1 Oct 2025 08:53:07 -0400 Subject: [PATCH 2/3] Adding roles and permissions from an existing ADR. --- modules/reference/pages/permissions.adoc | 116 ++++++++++------------- 1 file changed, 51 insertions(+), 65 deletions(-) diff --git a/modules/reference/pages/permissions.adoc b/modules/reference/pages/permissions.adoc index 64cb4647..fe6df922 100644 --- a/modules/reference/pages/permissions.adoc +++ b/modules/reference/pages/permissions.adoc @@ -1,9 +1,6 @@ = Roles and Permissions for Konflux -Konflux uses Kubernetes for managing user permissions and roles. Roles are mapped to specific permissions in the Kubernetes RBAC system, in terms of API groups, verbs, and resources. - -Leveraging the Kubernetes RBAC system enhances the -testability of Konflux, including the ability to use the well-documented and widely-used Kubernetes APIs for testing and validation. +Konflux uses Kubernetes for managing user roles and permissions. Leveraging the Kubernetes RBAC system enhances the testability of Konflux, including enabling the well-documented and widely-used Kubernetes APIs for testing and validation. User roles are mapped to specific permissions in the Kubernetes RBAC system in terms of API groups, verbs, and resources. The following are the Konflux user roles: @@ -17,15 +14,15 @@ access to sensitive or destructive actions. * *Admin:* Members who have full access to the workspace including sensitive and potentially destruction actions. -== Configuring Roles and Permissions for Konflux -To configure roles and permissions in Konflux, you use two yaml files. +This section contains the following: -Model your yaml files according to xref:xxxxxxxx[these example files]. +* Table listing available roles and permissions +* Procedures on how to configure Konflux's roles and permissions -== Roles and Permissions Table +== Roles and permissions table -The following table lists: +The roles and permissions table lists: * Roles * Permissions @@ -60,109 +57,109 @@ snapshotenvironmentbindings, snapshots, environments |gitopsdeployments, gitopsdeploymentmanagedenvironments, gitopsdeploymentrepositorycredentials, gitopsdeploymentsyncruns -|  |PipelineRun |tekton.dev |get, list, watch |pipelineruns +| |PipelineRun |tekton.dev |get, list, watch |pipelineruns -|  |Pipeline Results |results.tekton.dev |get, list |results, records, +| |Pipeline Results |results.tekton.dev |get, list |results, records, logs -|  |IntegrationTestScenario |appstudio.redhat.com |get, list, watch +| |IntegrationTestScenario |appstudio.redhat.com |get, list, watch |integrationtestscenarios -|  |Enterprise contract |appstudio.redhat.com |get, list, watch +| |Enterprise contract |appstudio.redhat.com |get, list, watch |enterprisecontractpolicies -|  |_Release Service_ |appstudio.redhat.com |get, list, watch |releases, +| |_Release Service_ |appstudio.redhat.com |get, list, watch |releases, releaseplans, releaseplanadmissions -|  |_JVM Build Service_ |jvmbuildservice.io |get, list, watch +| |_JVM Build Service_ |jvmbuildservice.io |get, list, watch |jbsconfigs, artifactbuilds -|  |_Service Access_ |appstudio.redhat.com |get, list, watch +| |_Service Access_ |appstudio.redhat.com |get, list, watch |spiaccesstokenbindings, spiaccesschecks, spiaccesstokens, spifilecontentrequests -|  |_Remote Secrets_ |appstudio.redhat.com |get, list, watch +| |_Remote Secrets_ |appstudio.redhat.com |get, list, watch |remotesecrets -|  |Build Service |appstudio.redhat.com |get, list, watch +| |Build Service |appstudio.redhat.com |get, list, watch |buildpipelineselectors -|  |Project Controller |projctl.konflux.dev |get, list, watch |projects, +| |Project Controller |projctl.konflux.dev |get, list, watch |projects, projectdevelopmentstreams, projectdevelopmentstreamtemplates -|  |_Configs_ |  |get, list, watch |configmaps +| |_Configs_ ||get, list, watch |configmaps -|  |_Secrets_ |  |  |secrets +| |_Secrets_ | | |secrets -|  |Add User |  |  |  +| |Add User | | | -|  |User group (with SSO) |  |  |  +| |User group (with SSO) | | | -|  |CronJob |batch |get, list, watch |cronjobs, jobs +| |CronJob |batch |get, list, watch |cronjobs, jobs -|Contributor |Workspace |Access to namespaces that backs workspace |  |  +|Contributor |Workspace |Access to namespaces that backs workspace | | -|  |Application |appstudio.redhat.com |get, list, watch |applications +| |Application |appstudio.redhat.com |get, list, watch |applications -|  |Component |appstudio.redhat.com |get, list, watch |components, +| |Component |appstudio.redhat.com |get, list, watch |components, componentdetectionqueries -|  |ImageRepository |appstudio.redhat.com |get, list, watch +| |ImageRepository |appstudio.redhat.com |get, list, watch |imagerepositories -|  |Environment |appstudio.redhat.com |get, list, watch |promotionruns, +| |Environment |appstudio.redhat.com |get, list, watch |promotionruns, snapshotenvironmentbindings, snapshots, environments -|  |DeploymentTarget |appstudio.redhat.com |get, list, watch +| |DeploymentTarget |appstudio.redhat.com |get, list, watch |deploymenttargets -|  |DeploymentTargetClaim |appstudio.redhat.com |get, list, watch +| |DeploymentTargetClaim |appstudio.redhat.com |get, list, watch |deploymenttargetclaims -|  |_GitOps_ |managed-gitops.redhat.com |get, list, watch +| |_GitOps_ |managed-gitops.redhat.com |get, list, watch |gitopsdeployments, gitopsdeploymentmanagedenvironments, gitopsdeploymentrepositorycredentials, gitopsdeploymentsyncruns -|  |PipelineRun |tekton.dev |get, list, watch |pipelineruns +| |PipelineRun |tekton.dev |get, list, watch |pipelineruns -|  |Pipeline Results |results.tekton.dev |get, list |results, records, +| |Pipeline Results |results.tekton.dev |get, list |results, records, logs -|  |IntegrationTestScenario |appstudio.redhat.com |get, list, watch +| |IntegrationTestScenario |appstudio.redhat.com |get, list, watch |integrationtestscenarios -|  |Enterprise contract |appstudio.redhat.com |get, list, watch +| |Enterprise contract |appstudio.redhat.com |get, list, watch |enterprisecontractpolicies -|  |_Release Service_ |appstudio.redhat.com |get, list, watch |releases, +| |_Release Service_ |appstudio.redhat.com |get, list, watch |releases, releaseplans, releaseplanadmissions -|  |_JVM Build Service_ |jvmbuildservice.io |get, list, watch +| |_JVM Build Service_ |jvmbuildservice.io |get, list, watch |jbsconfigs, artifactbuilds -|  |_Service Access_ |appstudio.redhat.com |get, list, watch +| |_Service Access_ |appstudio.redhat.com |get, list, watch |spiaccesstokenbindings, spiaccesschecks, spiaccesstokens, spifilecontentrequests -|  |_Remote Secrets_ |appstudio.redhat.com |get, list, watch +| |_Remote Secrets_ |appstudio.redhat.com |get, list, watch |remotesecrets -|  |Build Service |appstudio.redhat.com |get, list, watch +| |Build Service |appstudio.redhat.com |get, list, watch |buildpipelineselectors -|  |Project Controller |projctl.konflux.dev |get, list, watch |projects, +| |Project Controller |projctl.konflux.dev |get, list, watch |projects, projectdevelopmentstreams, projectdevelopmentstreamtemplates -|  |_Configs_ |  |get, list, watch |configmaps +| |_Configs_ | |get, list, watch |configmaps -|  |_Secrets_ |  |  |secrets +| |_Secrets_ | | |secrets -|  |Pulp Access Controller |pulp.konflux-ci.dev |get, list, watch +| |Pulp Access Controller |pulp.konflux-ci.dev |get, list, watch |pulpaccessrequests -|  |Add User |  |  |  +| |Add User | | | -|  |User group (with SSO) |  |  |  +| |User group (with SSO) | | | |  |CronJob |batch |get, list, watch |cronjobs, jobs @@ -326,27 +323,16 @@ patch, delete |rolebindings, roles |  |ServiceAccount |  |get, list, create, update, patch, delete |serviceaccounts -|  |Token |  |create |serviceaccounts/token +| |Token | |create |serviceaccounts/token |=== -=== Consequences - -* This decision will allow us to easily integrate with the Kubernetes -environment and take advantage of its robust and well-tested RBAC -system. - - - -* It will also allow us to assign the appropriate level of permissions -to each role, based on the responsibilities and privileges associated -with each role in our project. - - +== Configuring user roles and permissions for Konflux + +To configure roles and permissions in Konflux, you configure two yaml files using the information in the roles and permissions table. -* -* +Model your yaml files according to these example yaml files: -Using the built-in Kubernetes RBAC system may require some initial -configuration and setup. +* link:https://github.com/konflux-ci/konflux-ci/blob/main/konflux-ci/rbac/core/kustomization.yaml[Kustomization] +* link:https://github.com/konflux-ci/konflux-ci/blob/main/konflux-ci/rbac/core/konflux-admin-user-actions.yaml[Admin] From 77a448747130513d628aee575b02f8f115e31a89 Mon Sep 17 00:00:00 2001 From: pcelmer Date: Wed, 1 Oct 2025 09:26:21 -0400 Subject: [PATCH 3/3] Fixed left side navigation. --- modules/reference/nav.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/reference/nav.adoc b/modules/reference/nav.adoc index 6c4aa2e1..76e3f9ee 100644 --- a/modules/reference/nav.adoc +++ b/modules/reference/nav.adoc @@ -1,5 +1,6 @@ * xref:index.adoc[Reference] ** xref:sample-repositories.adoc[Sample repositories] +** xref:permissions.adoc[Roles and permissions] ** xref:kube-apis/index.adoc[Konflux Kubernetes APIs] *** xref:kube-apis/application-api.adoc#k8s-api-github-com-konflux-ci-application-api-api-v1alpha1-application[Application] *** xref:kube-apis/application-api.adoc#k8s-api-github-com-konflux-ci-application-api-api-v1alpha1-component[Component]