Available with limitations inCE

Available without limitations in:  BE, SE, SE+, EE

Caution! We strongly do not recommend creating Pods and ReplicaSets – these objects are secondary and should be created by other controllers. Access to creating and modifying Pods and ReplicaSets is disabled.

Caution! Currently, the multi-tenancy mode (namespace-based authorization) is implemented according to a temporary scheme and isn’t guaranteed to be entirely safe and secure! The allowAccessToSystemNamespaces, namespaceSelector and limitNamespaces options in the custom resource will no longer be applied if the authorization system’s webhook is unavailable for some reason. As a result, users will have access to all namespaces. After the webhook availability is restored, the options will become relevant again.

All access rights are configured using Custom Resources.

The module is enabled by default in the following bundles: Default, Managed. The module is disabled by default in the Minimal bundle.

How to explicitly enable the module…

Set the spec.enabled module parameter to true or false in the ModuleConfig/user-authz resource (create it, if necessary) to explicitly enable or disable the module, or use the deckhouse-controller module command in the d8-system/deckhouse pod.

Example of enabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: user-authz
spec:
  enabled: true

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module enable user-authz

Example of disabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: user-authz
spec:
  enabled: false

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module disable user-authz

Settings

The module is configured using the ModuleConfig custom resource named user-authz (learn more about setting up Deckhouse…).

Example of the ModuleConfig/user-authz resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: user-authz
spec:
  version: 1
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 1

  • settings
    object
    • settings.controlPlaneConfigurator
      object

      Parameters of the control-plane-manager module.

      • settings.controlPlaneConfigurator.enabled
        boolean

        Passes parameters for configuring authz-webhook to the control-plane-manager module (see the parameters of the control-plane-manager module).

        If this parameter is disabled, the control-plane-manager module assumes that Webhook-based authorization is disabled by default. In this case (if no additional settings are provided), the control-plane-manager module will try to delete all references to the Webhook plugin from the manifest (even if you configure the manifest manually).

        Default: true

        Examples:

        enabled: true

        enabled: false
    • settings.enableMultiTenancy
      boolean

      Available in editions: BE, SE, SE+, EE

      Enable namespace-based authorization (multi-tenancy mode).

      All the kube-apiserver settings required for namespace-based authorization are performed automatically by the control-plane-manager module (more details).

      Default: false

      Examples:

      enableMultiTenancy: true

      enableMultiTenancy: false