How do I create a user?
How do I limit user rights to specific namespaces?
To limit a user’s rights to specific namespaces, use RoleBinding with the use role that has the appropriate level of access. Example….
How do I limit user rights to specific namespaces (obsolete role-based model)?
The example uses the obsolete role-based model.
Use the namespaceSelector or limitNamespaces (deprecated) parameters in the ClusterAuthorizationRule CR.
What if there are two ClusterAuthorizationRules matching to a single user?
Imagine that the user jane.doe@example.com is in the administrators group. There are two cluster authorization rules:
apiVersion: deckhouse.io/v1
kind: ClusterAuthorizationRule
metadata:
name: jane
spec:
subjects:
- kind: User
name: jane.doe@example.com
accessLevel: User
namespaceSelector:
labelSelector:
matchLabels:
env: review
---
apiVersion: deckhouse.io/v1
kind: ClusterAuthorizationRule
metadata:
name: admin
spec:
subjects:
- kind: Group
name: administrators
accessLevel: ClusterAdmin
namespaceSelector:
labelSelector:
matchExpressions:
- key: env
operator: In
values:
- prod
- stage
jane.doe@example.comhas the right to get and list any objects in the namespaces labeledenv=reviewAdministratorscan get, edit, list, and delete objects on the cluster level and in the namespaces labeledenv=prodandenv=stage.
Because Jane Doe matches two rules, some calculations will be made:
- She will have the most powerful accessLevel across all matching rules —
ClusterAdmin. - The
namespaceSelectoroptions will be combined, so that Jane will have access to all the namespaces labeled withenvlabel of the following values:review,stage, orprod.
Note! If there is a rule without the
namespaceSelectoroption andlimitNamespacesdeprecated option, it means that all namespaces are allowed excluding system namespaces, which will affect the resulting limit namespaces calculation.