ClusterAuthorizationRule

Scope: Cluster

This object manages RBAC and namespace-based authorization.

  • spec (object)

    Required value.

    • accessLevel (string)

      Access level:

      • User — has access to information about all objects (including viewing pod logs) but cannot exec into containers, read secrets, and perform port-forwarding;
      • PrivilegedUser — the same as User + can exec into containers, read secrets, and delete pods (and thus, restart them);
      • Editor — is the same as PrivilegedUser + can create and edit namespaces and all objects that are usually required for application tasks;

        Caution! since Editor can edit RoleBindings, he can broader his privileges within the namespace;

      • Admin — the same as Editor + can delete service objects (auxiliary resources such as ReplicaSet, certmanager.k8s.io/challenges, and certmanager.k8s.io/orders);
      • ClusterEditor — the same as Editor + can manage a limited set of cluster-wide objects that can be used in application tasks (ClusterXXXMetric, ClusterRoleBindings, KeepalivedInstance, DaemonSet, etc.). This role is best suited for cluster operators.

        Caution! since ClusterEditor can edit ClusterRoleBindings, he can broader his privileges within the cluster;

      • ClusterAdmin — the same as both ClusterEditor and Admin + can manage cluster-wide service objects (e.g., MachineSets, Machines, OpenstackInstanceClasses…, as well as ClusterAuthorizationRule). This role is best suited for cluster administrators.

        Caution! since ClusterAdmin can edit ClusterRoleBindings, he can broader his privileges within the cluster;

      • SuperAdmin — can perform any actions with any objects (note that limitNamespaces (see below) restrictions remain valid).

      Allowed values: User, PrivilegedUser, Editor, Admin, ClusterEditor, ClusterAdmin, SuperAdmin

      Example: "PrivilegedUser"

    • additionalRoles (array of objects)

      Additional roles to bind for subjects.

      This parameter is reserved for emergencies. Please, use the accessLevel parameter instead.

      Example:

      additionalRoles:
      - apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-write-all
      - apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-read-all
      
      • apiGroup (string)

        apiGroup for users.

        Length: 1..∞

        Example: "rbac.authorization.k8s.io"

        Required value.

      • kind (string)

        Kind of the role.

        Allowed values: ClusterRole, Role

        Example: "ClusterRole"

        Required value.

      • name (string)

        Name of the role.

        Length: 1..∞

        Example: "cluster-admin"

        Required value.

    • allowAccessToSystemNamespaces (boolean)

      Allow access to System namespaces (kube-, d8-, loghouse, default).

      Option available only if enableMultiTenancy option is enabled.

      Default: false

      Эти возможности доступны только в enterprise edition.

    • allowScale (boolean)

      Defines if scaling of Deployments and StatefulSets is allowed/not allowed.

      Default: false

    • limitNamespaces (array of strings)

      List of regex-patterns that define namespaces accessible by the user.

      The decision making process:

      • If the list is defined, then only its constituents are accessible.
      • If the list is not defined, then all namespaces are accessible (except for the system ones - see spec.allowAccessToSystemNamespaces below).

      Option available only if enableMultiTenancy option is enabled.

      Эти возможности доступны только в enterprise edition.

      Length: 1..∞

      Example: "production-.*"

    • portForwarding (boolean)

      Allow/disallow the user to do port-forwarding.

      Default: false

    • subjects (array of objects)

      Users and/or groups to grant privileges.

      Kubernetes API reference…

      Caution! Note that you must use the user’s email as the username to grant privileges to the specific user if this module is used together with the user-authn module.

      Required value.

      • kind (string)

        Type of user identification resource.

        Allowed values: User, Group, ServiceAccount

        Example: "Group"

        Required value.

      • name (string)

        Resource name.

        Length: 1..∞

        Example: "some-group-name"

        Required value.

      • namespace (string)

        ServiceAccount namespace.

        Length: 1..∞

This object manages RBAC and namespace-based authorization.

  • spec (object)

    Required value.

    • accessLevel (string)

      Access level:

      • User — has access to information about all objects (including viewing pod logs) but cannot exec into containers, read secrets, and perform port-forwarding;
      • PrivilegedUser — the same as User + can exec into containers, read secrets, and delete pods (and thus, restart them);
      • Editor — is the same as PrivilegedUser + can create and edit namespaces and all objects that are usually required for application tasks;

        Caution! since Editor can edit RoleBindings, he can broader his privileges within the namespace;

      • Admin — the same as Editor + can delete service objects (auxiliary resources such as ReplicaSet, certmanager.k8s.io/challenges, and certmanager.k8s.io/orders);
      • ClusterEditor — the same as Editor + can manage a limited set of cluster-wide objects that can be used in application tasks (ClusterXXXMetric, ClusterRoleBindings, KeepalivedInstance, DaemonSet, etc.). This role is best suited for cluster operators.

        Caution! since ClusterEditor can edit ClusterRoleBindings, he can broader his privileges within the cluster;

      • ClusterAdmin — the same as both ClusterEditor and Admin + can manage cluster-wide service objects (e.g., MachineSets, Machines, OpenstackInstanceClasses…, as well as ClusterAuthorizationRule). This role is best suited for cluster administrators.

        Caution! since ClusterAdmin can edit ClusterRoleBindings, he can broader his privileges within the cluster;

      • SuperAdmin — can perform any actions with any objects (note that limitNamespaces (see below) restrictions remain valid).

      Allowed values: User, PrivilegedUser, Editor, Admin, ClusterEditor, ClusterAdmin, SuperAdmin

      Example: "PrivilegedUser"

    • additionalRoles (array of objects)

      Additional roles to bind for subjects.

      This parameter is reserved for emergencies. Please, use the accessLevel parameter instead.

      Example:

      additionalRoles:
      - apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-write-all
      - apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-read-all
      
      • apiGroup (string)

        apiGroup for users.

        Length: 1..∞

        Example: "rbac.authorization.k8s.io"

        Required value.

      • kind (string)

        Kind of the role.

        Allowed values: ClusterRole, Role

        Example: "ClusterRole"

        Required value.

      • name (string)

        Name of the role.

        Length: 1..∞

        Example: "cluster-admin"

        Required value.

    • allowAccessToSystemNamespaces (boolean)

      Allow access to System namespaces (kube-, d8-, loghouse, default).

      Option available only if enableMultiTenancy option is enabled.

      Default: false

      Эти возможности доступны только в enterprise edition.

    • allowScale (boolean)

      Defines if scaling of Deployments and StatefulSets is allowed/not allowed.

      Default: false

    • limitNamespaces (array of strings)

      List of regex-patterns that define namespaces accessible by the user.

      The decision making process:

      • If the list is defined, then only its constituents are accessible.
      • If the list is not defined, then all namespaces are accessible (except for the system ones - see spec.allowAccessToSystemNamespaces below).

      Option available only if enableMultiTenancy option is enabled.

      Эти возможности доступны только в enterprise edition.

      Length: 1..∞

      Example: "production-.*"

    • portForwarding (boolean)

      Allow/disallow the user to do port-forwarding.

      Default: false

    • subjects (array of objects)

      Users and/or groups to grant privileges.

      Kubernetes API reference…

      Caution! Note that you must use the user’s email as the username to grant privileges to the specific user if this module is used together with the user-authn module.

      Required value.

      • kind (string)

        Type of user identification resource.

        Allowed values: User, Group, ServiceAccount

        Example: "Group"

        Required value.

      • name (string)

        Resource name.

        Length: 1..∞

        Example: "some-group-name"

        Required value.

      • namespace (string)

        ServiceAccount namespace.

        Length: 1..∞