AuthorizationRule

Scope: Namespaced
Version: v1alpha1

Manages RBAC and authorization settings within a particular namespace.

The AuthorizationRule resource is used in the obsolete role-based model, which will be removed in future versions of Deckhouse. We recommend using the new role-based model.

  • spec
    object

    Required value

    • spec.accessLevel
      string

      Access level:

      • User — has access to information about all objects (including viewing pod logs) but cannot exec into containers, read secrets, and perform port-forwarding;
      • PrivilegedUser — the same as User + can exec into containers, read secrets, and delete pods (and thus, restart them);
      • Editor — is the same as PrivilegedUser + can create and edit all objects that are usually required for application tasks;
      • Admin — the same as Editor + can delete service objects (auxiliary resources such as ReplicaSet, certmanager.k8s.io/challenges and certmanager.k8s.io/orders);

      Allowed values: User, PrivilegedUser, Editor, Admin

      Example:

      accessLevel: PrivilegedUser
      
    • spec.allowScale
      boolean

      Defines if scaling of Deployments and StatefulSets is allowed/not allowed.

      Default: false

    • spec.portForwarding
      boolean

      Allow/disallow the user to do port-forwarding.

      Default: false

    • spec.subjects
      array of objects

      Required value

      Users and/or groups to grant privileges.

      Kubernetes API reference…

      Pay attention to the following nuances if this module is used together with the user-authn module:

      • Use the user’s email as the username to grant privileges to the specific user;
      • When specifying a group, make sure that the necessary groups are allowed to be received from the provider, i.e., they are defined in the corresponding custom resource DexProvider.
      • spec.subjects.kind
        string

        Required value

        Type of user identification resource.

        Allowed values: User, Group, ServiceAccount

        Example:

        kind: Group
        
      • spec.subjects.name
        string

        Required value

        Resource name.

        Example:

        name: some-group-name
        
      • spec.subjects.namespace
        string

        ServiceAccount namespace.

        Pattern: [a-z0-9]([-a-z0-9]*[a-z0-9])?

        Length: 1..63

ClusterAuthorizationRule

Scope: Cluster

This object manages RBAC and namespace-based authorization.

The settings determine which access level is assigned to the user and/or group.

  • spec
    object

    Required value

    • spec.accessLevel
      string

      Access level:

      • User — has access to information about all objects (including viewing pod logs) but cannot exec into containers, read secrets, and perform port-forwarding;
      • PrivilegedUser — the same as User + can exec into containers, read secrets, and delete pods (and thus, restart them);
      • Editor — is the same as PrivilegedUser + can create and edit all objects that are usually required for application tasks;
      • Admin — the same as Editor + can delete service objects (auxiliary resources such as ReplicaSet, certmanager.k8s.io/challenges and certmanager.k8s.io/orders);
      • ClusterEditor — the same as Editor + can manage a limited set of cluster-wide objects that can be used in application tasks (ClusterXXXMetric, KeepalivedInstance, DaemonSet, etc.). This role is best suited for cluster operators.
      • ClusterAdmin — the same as both ClusterEditor and Admin + can manage cluster-wide service objects (e.g., MachineSets, Machines, OpenstackInstanceClasses…, as well as ClusterAuthorizationRule, ClusterRoleBindings and ClusterRole). This role is best suited for cluster administrators.

        Caution! since ClusterAdmin can edit ClusterRoleBindings, he can broader his privileges within the cluster;

      • SuperAdmin — can perform any actions with any objects (note that limitNamespaces and namespaceSelector (see below) restrictions remain valid).

      Allowed values: User, PrivilegedUser, Editor, Admin, ClusterEditor, ClusterAdmin, SuperAdmin

      Example:

      accessLevel: PrivilegedUser
      
    • spec.additionalRoles
      array of objects

      Additional roles to bind for subjects.

      This parameter is reserved for emergencies. Please, use the accessLevel parameter instead.

      Example:

      additionalRoles:
      - apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-write-all
      - apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-read-all
      
      • spec.additionalRoles.apiGroup
        string

        Required value

        apiGroup for users.

        Example:

        apiGroup: rbac.authorization.k8s.io
        
      • spec.additionalRoles.kind
        string

        Required value

        Kind of the role.

        Allowed values: ClusterRole

        Example:

        kind: ClusterRole
        
      • spec.additionalRoles.name
        string

        Required value

        Name of the role.

        Example:

        name: cluster-admin
        
    • spec.allowAccessToSystemNamespaces
      Deprecated
      boolean

      Allow access to System namespaces (kube-, d8-, loghouse, default).

      Option available only if the enableMultiTenancy option is enabled.

      Deprecated. Use the namespaceSelector field instead.

      Default: false

      This feature is available in enterprise edition only.

    • spec.allowScale
      boolean

      Defines if scaling of Deployments and StatefulSets is allowed/not allowed.

      Default: false

    • spec.limitNamespaces
      Deprecated
      array of strings

      List of regex-patterns that define namespaces accessible by the user.

      The decision making process:

      • If the list is defined, then only its constituents are accessible.
      • If the list is not defined, then all namespaces are accessible (except for the system ones - see spec.allowAccessToSystemNamespaces below).

      Option available only if enableMultiTenancy option is enabled.

      Deprecated. Use the namespaceSelector field instead.

      This feature is available in enterprise edition only.

      Example:

      limitNamespaces: production-.*
      
      • Element of the array
        string
    • spec.namespaceSelector
      object

      Defines a set of namespaces accessible by the user, using the value of the namespaceSelector.labelSelector parameter.

      If the namespaceSelector parameter is specified, the values of the limitNamespaces and allowAccessToSystemNamespaces parameters are ignored. If the namespaceSelector.matchAny field is specified, then all namespaces (including system namespaces) will be accessible. Otherwise, only the namespaces with labels matching the namespaceSelector.labelSelector conditions will be accessible (including system namespaces).

      If the namespaceSelector parameter is not specified, then the set of available namespaces is determined by the value of the limitNamespaces and allowAccessToSystemNamespaces parameters. If none of the parameters namespaceSelector, limitNamespaces and allowAccessToSystemNamespaces are specified, then all namespaces will be available, except for the system ones (kube-*, d8-*, loghouse, default).

      Is available only if the enableMultiTenancy parameter is enabled.

      This feature is available in enterprise edition only.

      • spec.namespaceSelector.labelSelector
        object

        Defines the label selector-based filter of the namespaces.

        Cannot be used together with the matchAny parameter.

        If both matchExpressions and matchLabels parameters are set, their requirements are ANDed together — they must all be satisfied in order to match. If multiple matchExpression conditions are provided, they all must be satisfied in order to match.

        This feature is available in enterprise edition only.

        • spec.namespaceSelector.labelSelector.matchExpressions
          array of objects

          An array of set-based expressions.

          This feature is available in enterprise edition only.

          Example:

          matchExpressions:
          - key: tier
            operator: In
            values:
            - production
            - staging
          - key: tier
            operator: NotIn
            values:
            - production
          
          • spec.namespaceSelector.labelSelector.matchExpressions.key
            string

            A label name.

            This feature is available in enterprise edition only.

          • spec.namespaceSelector.labelSelector.matchExpressions.operator
            string

            A comparison operator.

            This feature is available in enterprise edition only.

            Allowed values: In, NotIn, Exists, DoesNotExist

          • spec.namespaceSelector.labelSelector.matchExpressions.values
            array of strings

            A label value.

            This feature is available in enterprise edition only.

            • Element of the array
              string

              Pattern: [a-z0-9]([-a-z0-9]*[a-z0-9])?

              Length: 1..63

        • spec.namespaceSelector.labelSelector.matchLabels
          object

          A set of labels a namespace must have to match.

          This feature is available in enterprise edition only.

          Example:

          matchLabels:
            foo: bar
            baz: who
          
      • spec.namespaceSelector.matchAny
        boolean

        Unconditionally permits access to any namespace in the cluster, including system namespaces.

        Cannot be used together with the labelSelector parameter.

        Since labelSelector provides access to a limited number of the namespaces that match it, matchAny is needed in cases where access to all namespaces is to be granted.

        This feature is available in enterprise edition only.

        Allowed values: true

    • spec.portForwarding
      boolean

      Allow/disallow the user to do port-forwarding.

      Default: false

    • spec.subjects
      array of objects

      Required value

      Users and/or groups to grant privileges.

      Kubernetes API reference…

      Pay attention to the following nuances if this module is used together with the user-authn module:

      • Use the user’s email as the username to grant privileges to the specific user;
      • When specifying a group, make sure that the necessary groups are allowed to be received from the provider, i.e., they are defined in the corresponding custom resource DexProvider.
      • spec.subjects.kind
        string

        Required value

        Type of user identification resource.

        Allowed values: User, Group, ServiceAccount

        Example:

        kind: Group
        
      • spec.subjects.name
        string

        Required value

        Resource name.

        Example:

        name: some-group-name
        
      • spec.subjects.namespace
        string

        ServiceAccount namespace.

        Pattern: [a-z0-9]([-a-z0-9]*[a-z0-9])?

        Length: 1..63

Deprecated resource. Support for the resource might be removed in a later release.

This cluster-wide object manages RBAC and authorization.

The ClusterAuthorizationRule resource is used in the obsolete role-based model, which will be removed in future versions of Deckhouse. We recommend using the new role-based model.

  • spec
    object

    Required value

    • spec.accessLevel
      string

      Access level:

      • User — has access to information about all objects (including viewing pod logs) but cannot exec into containers, read secrets, and perform port-forwarding;
      • PrivilegedUser — the same as User + can exec into containers, read secrets, and delete pods (and thus, restart them);
      • Editor — is the same as PrivilegedUser + can create and edit all objects that are usually required for application tasks;
      • Admin — the same as Editor + can delete service objects (auxiliary resources such as ReplicaSet, certmanager.k8s.io/challenges and certmanager.k8s.io/orders);
      • ClusterEditor — the same as Editor + can manage a limited set of cluster-wide objects that can be used in application tasks (ClusterXXXMetric, KeepalivedInstance, DaemonSet, etc.). This role is best suited for cluster operators.
      • ClusterAdmin — the same as both ClusterEditor and Admin + can manage cluster-wide service objects (e.g., MachineSets, Machines, OpenstackInstanceClasses…, as well as ClusterAuthorizationRule, ClusterRoleBindings and ClusterRole). This role is best suited for cluster administrators.

        Caution! since ClusterAdmin can edit ClusterRoleBindings, he can broader his privileges within the cluster;

      • SuperAdmin — can perform any actions with any objects (note that limitNamespaces (see below) restrictions remain valid).

      Allowed values: User, PrivilegedUser, Editor, Admin, ClusterEditor, ClusterAdmin, SuperAdmin

      Example:

      accessLevel: PrivilegedUser
      
    • spec.additionalRoles
      array of objects

      Additional roles to bind for subjects.

      This parameter is reserved for emergencies. Please, use the accessLevel parameter instead.

      Example:

      additionalRoles:
      - apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-write-all
      - apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-read-all
      
      • spec.additionalRoles.apiGroup
        string

        Required value

        apiGroup for users.

        Example:

        apiGroup: rbac.authorization.k8s.io
        
      • spec.additionalRoles.kind
        string

        Required value

        Kind of the role.

        Allowed values: ClusterRole

        Example:

        kind: ClusterRole
        
      • spec.additionalRoles.name
        string

        Required value

        Name of the role.

        Example:

        name: cluster-admin
        
    • spec.allowAccessToSystemNamespaces
      Deprecated
      boolean

      Allow access to System namespaces (kube-, d8-, loghouse, default).

      Option available only if the enableMultiTenancy option is enabled.

      Deprecated. Use the namespaceSelector parameter (API version v1 of the CR) instead.

      Default: false

      This feature is available in enterprise edition only.

    • spec.allowScale
      boolean

      Defines if scaling of Deployments and StatefulSets is allowed/not allowed.

      Default: false

    • spec.limitNamespaces
      Deprecated
      array of strings

      List of regex-patterns that define namespaces accessible by the user.

      The decision making process:

      • If the list is defined, then only its constituents are accessible.
      • If the list is not defined, then all namespaces are accessible (except for the system ones - see spec.allowAccessToSystemNamespaces below).

      Option available only if enableMultiTenancy option is enabled.

      Deprecated. Use the namespaceSelector parameter (API version v1 of the CR) instead.

      This feature is available in enterprise edition only.

      Example:

      limitNamespaces: production-.*
      
      • Element of the array
        string
    • spec.portForwarding
      boolean

      Allow/disallow the user to do port-forwarding.

      Default: false

    • spec.subjects
      array of objects

      Required value

      Users and/or groups to grant privileges.

      Kubernetes API reference…

      Pay attention to the following nuances if this module is used together with the user-authn module:

      • Use the user’s email as the username to grant privileges to the specific user;
      • When specifying a group, make sure that the necessary groups are allowed to be received from the provider, i.e., they are defined in the corresponding custom resource DexProvider.
      • spec.subjects.kind
        string

        Required value

        Type of user identification resource.

        Allowed values: User, Group, ServiceAccount

        Example:

        kind: Group
        
      • spec.subjects.name
        string

        Required value

        Resource name.

        Example:

        name: some-group-name
        
      • spec.subjects.namespace
        string

        ServiceAccount namespace.

        Pattern: [a-z0-9]([-a-z0-9]*[a-z0-9])?

        Length: 1..63