AuthorizationRule
Scope: Namespaced
Version: v1alpha1
Manages RBAC and authorization settings within a particular namespace.
- specobject
Required value
- spec.accessLevelstring
Access level:
User
— has access to information about all objects (including viewing pod logs) but cannot exec into containers, read secrets, and perform port-forwarding;PrivilegedUser
— the same asUser
+ can exec into containers, read secrets, and delete pods (and thus, restart them);Editor
— is the same asPrivilegedUser
+ can create and edit all objects that are usually required for application tasks;Admin
— the same asEditor
+ can delete service objects (auxiliary resources such asReplicaSet
,certmanager.k8s.io/challenges
andcertmanager.k8s.io/orders
);
Allowed values:
User
,PrivilegedUser
,Editor
,Admin
Example:
accessLevel: PrivilegedUser
- spec.allowScaleboolean
Defines if scaling of Deployments and StatefulSets is allowed/not allowed.
Default:
false
- spec.portForwardingboolean
Allow/disallow the user to do
port-forwarding
.Default:
false
- spec.subjectsarray of objects
Required value
Users and/or groups to grant privileges.
Pay attention to the following nuances if this module is used together with the user-authn module:
- Use the user’s
email
as the username to grant privileges to the specific user; - When specifying a group, make sure that the necessary groups are allowed to be received from the provider, i.e., they are defined in the corresponding custom resource DexProvider.
- spec.subjects.kindstring
Required value
Type of user identification resource.
Allowed values:
User
,Group
,ServiceAccount
Example:
kind: Group
- spec.subjects.namestring
Required value
Resource name.
Example:
name: some-group-name
- spec.subjects.namespacestring
ServiceAccount namespace.
Pattern:
[a-z0-9]([-a-z0-9]*[a-z0-9])?
Length:
1..63
- Use the user’s
- spec.accessLevelstring
ClusterAuthorizationRule
Scope: Cluster
This object manages RBAC and namespace-based authorization.
The settings determine which access level is assigned to the user and/or group.
- specobject
Required value
- spec.accessLevelstring
Access level:
User
— has access to information about all objects (including viewing pod logs) but cannot exec into containers, read secrets, and perform port-forwarding;PrivilegedUser
— the same asUser
+ can exec into containers, read secrets, and delete pods (and thus, restart them);Editor
— is the same asPrivilegedUser
+ can create and edit all objects that are usually required for application tasks;Admin
— the same asEditor
+ can delete service objects (auxiliary resources such asReplicaSet
,certmanager.k8s.io/challenges
andcertmanager.k8s.io/orders
);ClusterEditor
— the same asEditor
+ can manage a limited set ofcluster-wide
objects that can be used in application tasks (ClusterXXXMetric
,KeepalivedInstance
,DaemonSet
, etc.). This role is best suited for cluster operators.-
ClusterAdmin
— the same as bothClusterEditor
andAdmin
+ can managecluster-wide
service objects (e.g.,MachineSets
,Machines
,OpenstackInstanceClasses
…, as well asClusterAuthorizationRule
,ClusterRoleBindings
andClusterRole
). This role is best suited for cluster administrators.Caution! since
ClusterAdmin
can editClusterRoleBindings
, he can broader his privileges within the cluster; SuperAdmin
— can perform any actions with any objects (note thatlimitNamespaces
andnamespaceSelector
(see below) restrictions remain valid).
Allowed values:
User
,PrivilegedUser
,Editor
,Admin
,ClusterEditor
,ClusterAdmin
,SuperAdmin
Example:
accessLevel: PrivilegedUser
- spec.additionalRolesarray of objects
Additional roles to bind for subjects.
This parameter is reserved for emergencies. Please, use the
accessLevel
parameter instead.Example:
additionalRoles: - apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-write-all - apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-read-all
- spec.additionalRoles.apiGroupstring
Required value
apiGroup for users.
Example:
apiGroup: rbac.authorization.k8s.io
- spec.additionalRoles.kindstring
Required value
Kind of the role.
Allowed values:
ClusterRole
Example:
kind: ClusterRole
- spec.additionalRoles.namestring
Required value
Name of the role.
Example:
name: cluster-admin
- spec.additionalRoles.apiGroupstring
- spec.allowAccessToSystemNamespacesDeprecatedboolean
Allow access to System namespaces (kube-, d8-, loghouse, default).
Option available only if the enableMultiTenancy option is enabled.
Deprecated. Use the namespaceSelector field instead.
Default:
false
This feature is available in enterprise edition only.
- spec.allowScaleboolean
Defines if scaling of Deployments and StatefulSets is allowed/not allowed.
Default:
false
- spec.limitNamespacesDeprecatedarray of strings
List of regex-patterns that define namespaces accessible by the user.
The decision making process:
- If the list is defined, then only its constituents are accessible.
- If the list is not defined, then all namespaces are accessible (except for the system ones - see
spec.allowAccessToSystemNamespaces
below).
Option available only if enableMultiTenancy option is enabled.
Deprecated. Use the namespaceSelector field instead.
This feature is available in enterprise edition only.
Example:
limitNamespaces: production-.*
- Element of the arraystring
- spec.namespaceSelectorobject
Defines a set of namespaces accessible by the user, using the value of the
namespaceSelector.labelSelector
parameter.If the
namespaceSelector
parameter is specified, the values of thelimitNamespaces
andallowAccessToSystemNamespaces
parameters are ignored. If thenamespaceSelector.matchAny
field is specified, then all namespaces (including system namespaces) will be accessible. Otherwise, only the namespaces with labels matching thenamespaceSelector.labelSelector
conditions will be accessible (including system namespaces).If the
namespaceSelector
parameter is not specified, then the set of available namespaces is determined by the value of thelimitNamespaces
andallowAccessToSystemNamespaces
parameters. If none of the parametersnamespaceSelector
,limitNamespaces
andallowAccessToSystemNamespaces
are specified, then all namespaces will be available, except for the system ones (kube-*
,d8-*
,loghouse
,default
).Is available only if the enableMultiTenancy parameter is enabled.
This feature is available in enterprise edition only.
- spec.namespaceSelector.labelSelectorobject
Defines the label selector-based filter of the namespaces.
Cannot be used together with the
matchAny
parameter.If both
matchExpressions
andmatchLabels
parameters are set, their requirements are ANDed together — they must all be satisfied in order to match. If multiplematchExpression
conditions are provided, they all must be satisfied in order to match.This feature is available in enterprise edition only.
- spec.namespaceSelector.labelSelector.matchExpressionsarray of objects
An array of set-based expressions.
This feature is available in enterprise edition only.
Example:
matchExpressions: - key: tier operator: In values: - production - staging - key: tier operator: NotIn values: - production
- spec.namespaceSelector.labelSelector.matchExpressions.keystring
A label name.
This feature is available in enterprise edition only.
- spec.namespaceSelector.labelSelector.matchExpressions.operatorstring
A comparison operator.
This feature is available in enterprise edition only.
Allowed values:
In
,NotIn
,Exists
,DoesNotExist
- spec.namespaceSelector.labelSelector.matchExpressions.valuesarray of strings
A label value.
This feature is available in enterprise edition only.
- Element of the arraystring
Pattern:
[a-z0-9]([-a-z0-9]*[a-z0-9])?
Length:
1..63
- Element of the arraystring
- spec.namespaceSelector.labelSelector.matchExpressions.keystring
- spec.namespaceSelector.labelSelector.matchLabelsobject
A set of labels a namespace must have to match.
This feature is available in enterprise edition only.
Example:
matchLabels: foo: bar baz: who
- spec.namespaceSelector.labelSelector.matchExpressionsarray of objects
- spec.namespaceSelector.matchAnyboolean
Unconditionally permits access to any namespace in the cluster, including system namespaces.
Cannot be used together with the
labelSelector
parameter.Since
labelSelector
provides access to a limited number of the namespaces that match it,matchAny
is needed in cases where access to all namespaces is to be granted.This feature is available in enterprise edition only.
Allowed values:
true
- spec.namespaceSelector.labelSelectorobject
- spec.portForwardingboolean
Allow/disallow the user to do
port-forwarding
.Default:
false
- spec.subjectsarray of objects
Required value
Users and/or groups to grant privileges.
Pay attention to the following nuances if this module is used together with the user-authn module:
- Use the user’s
email
as the username to grant privileges to the specific user; - When specifying a group, make sure that the necessary groups are allowed to be received from the provider, i.e., they are defined in the corresponding custom resource DexProvider.
- spec.subjects.kindstring
Required value
Type of user identification resource.
Allowed values:
User
,Group
,ServiceAccount
Example:
kind: Group
- spec.subjects.namestring
Required value
Resource name.
Example:
name: some-group-name
- spec.subjects.namespacestring
ServiceAccount namespace.
Pattern:
[a-z0-9]([-a-z0-9]*[a-z0-9])?
Length:
1..63
- Use the user’s
- spec.accessLevelstring
This cluster-wide object manages RBAC and authorization.
- specobject
Required value
- spec.accessLevelstring
Access level:
User
— has access to information about all objects (including viewing pod logs) but cannot exec into containers, read secrets, and perform port-forwarding;PrivilegedUser
— the same asUser
+ can exec into containers, read secrets, and delete pods (and thus, restart them);Editor
— is the same asPrivilegedUser
+ can create and edit all objects that are usually required for application tasks;Admin
— the same asEditor
+ can delete service objects (auxiliary resources such asReplicaSet
,certmanager.k8s.io/challenges
andcertmanager.k8s.io/orders
);ClusterEditor
— the same asEditor
+ can manage a limited set ofcluster-wide
objects that can be used in application tasks (ClusterXXXMetric
,KeepalivedInstance
,DaemonSet
, etc.). This role is best suited for cluster operators.-
ClusterAdmin
— the same as bothClusterEditor
andAdmin
+ can managecluster-wide
service objects (e.g.,MachineSets
,Machines
,OpenstackInstanceClasses
…, as well asClusterAuthorizationRule
,ClusterRoleBindings
andClusterRole
). This role is best suited for cluster administrators.Caution! since
ClusterAdmin
can editClusterRoleBindings
, he can broader his privileges within the cluster; SuperAdmin
— can perform any actions with any objects (note thatlimitNamespaces
(see below) restrictions remain valid).
Allowed values:
User
,PrivilegedUser
,Editor
,Admin
,ClusterEditor
,ClusterAdmin
,SuperAdmin
Example:
accessLevel: PrivilegedUser
- spec.additionalRolesarray of objects
Additional roles to bind for subjects.
This parameter is reserved for emergencies. Please, use the
accessLevel
parameter instead.Example:
additionalRoles: - apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-write-all - apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-read-all
- spec.additionalRoles.apiGroupstring
Required value
apiGroup for users.
Example:
apiGroup: rbac.authorization.k8s.io
- spec.additionalRoles.kindstring
Required value
Kind of the role.
Allowed values:
ClusterRole
Example:
kind: ClusterRole
- spec.additionalRoles.namestring
Required value
Name of the role.
Example:
name: cluster-admin
- spec.additionalRoles.apiGroupstring
- spec.allowAccessToSystemNamespacesDeprecatedboolean
Allow access to System namespaces (kube-, d8-, loghouse, default).
Option available only if the enableMultiTenancy option is enabled.
Deprecated. Use the namespaceSelector parameter (API version
v1
of the CR) instead.Default:
false
This feature is available in enterprise edition only.
- spec.allowScaleboolean
Defines if scaling of Deployments and StatefulSets is allowed/not allowed.
Default:
false
- spec.limitNamespacesDeprecatedarray of strings
List of regex-patterns that define namespaces accessible by the user.
The decision making process:
- If the list is defined, then only its constituents are accessible.
- If the list is not defined, then all namespaces are accessible (except for the system ones - see
spec.allowAccessToSystemNamespaces
below).
Option available only if enableMultiTenancy option is enabled.
Deprecated. Use the namespaceSelector parameter (API version
v1
of the CR) instead.This feature is available in enterprise edition only.
Example:
limitNamespaces: production-.*
- Element of the arraystring
- spec.portForwardingboolean
Allow/disallow the user to do
port-forwarding
.Default:
false
- spec.subjectsarray of objects
Required value
Users and/or groups to grant privileges.
Pay attention to the following nuances if this module is used together with the user-authn module:
- Use the user’s
email
as the username to grant privileges to the specific user; - When specifying a group, make sure that the necessary groups are allowed to be received from the provider, i.e., they are defined in the corresponding custom resource DexProvider.
- spec.subjects.kindstring
Required value
Type of user identification resource.
Allowed values:
User
,Group
,ServiceAccount
Example:
kind: Group
- spec.subjects.namestring
Required value
Resource name.
Example:
name: some-group-name
- spec.subjects.namespacestring
ServiceAccount namespace.
Pattern:
[a-z0-9]([-a-z0-9]*[a-z0-9])?
Length:
1..63
- Use the user’s
- spec.accessLevelstring