How do I create a user?
How do I limit user rights to specific namespaces?
Use the limitNamespaces
parameter in the ClusterAuthorizationRule
CR.
What if there are two ClusterAuthorizationRules matching to a single user?
Imagine that the user jane.doe@example.com
is in the administrators
group. There are two cluster authorization rules:
apiVersion: deckhouse.io/v1
kind: ClusterAuthorizationRule
metadata:
name: jane
spec:
subjects:
- kind: User
name: jane.doe@example.com
accessLevel: User
limitNamespaces:
- review-.*
---
apiVersion: deckhouse.io/v1
kind: ClusterAuthorizationRule
metadata:
name: admin
spec:
subjects:
- kind: Group
name: administrators
accessLevel: ClusterAdmin
limitNamespaces:
- prod
- stage
jane.doe@example.com
has the right to get and list any objects access all review namespaces.Administrators
can get, edit, list, and delete objects on the cluster level and in the namespacesprod
andstage
.
Because Jane Doe
matches two rules, some calculations will be made:
- She will have the most powerful accessLevel across all matching rules —
ClusterAdmin
. - The
limitNamespaces
options will be combined, so that Jane will have access to the following namespaces.
The resulting rights will be:
accessLevel: ClusterAdmin
limitNamespaces:
- prod
- stage
- review-.*
Note! If there is a rule without the limitNamespaces option, it means that all namespaces are allowed excluding system namespaces, which will affect the resulting limit namespaces calculation.