This module is enabled by default. To disable it, add the following lines to the deckhouse ConfigMap:

  userAuthzEnabled: "false"

Caution! We strongly do not recommend creating Pods and ReplicaSets – these objects are secondary and should be created by other controllers. Access to creating and modifying Pods and ReplicaSets is disabled.

Caution! Currently, the multi-tenancy mode (namespace-based authorization) is implemented according to a temporary scheme and isn’t guaranteed to be entirely safe and secure! The allowAccessToSystemNamespaces and limitNamespaces options in the CR will no longer be applied if the authorization system’s webhook is unavailable for some reason. As a result, users will have access to all namespaces. After the webhook availability is restored, the options will become relevant again.


  • controlPlaneConfigurator (object)

    Parameters of the control-plane-manager module.

    Default: {}

    • enabled (boolean)

      Passes parameters for configuring authz-webhook to the control-plane-manager module (see the parameters of the control-plane-manager module).

      If this parameter is disabled, the control-plane-manager module assumes that Webhook-based authorization is disabled by default. In this case (if no additional settings are provided), the control-plane-manager module will try to delete all references to the Webhook plugin from the manifest (even if you configure the manifest manually).

      Default: true

      Example: true, false

  • enableMultiTenancy (boolean)

    Enable namespace-based authorization.

    Since this option is implemented via the Webhook authorization plugin, you will need to perform an additional configuration of kube-apiserver. You can use the control-plane-manager module to automate this process.

    Available in Enterprise Edition only.

    Default: false

    Example: true, false

All access rights are configured using Custom Resources.