How do I create a user?
How do I limit user rights to specific namespaces?
To limit a user’s rights to specific namespaces, use RoleBinding
with the use role that has the appropriate level of access. Example….
How do I limit user rights to specific namespaces (obsolete role-based model)?
The example uses the obsolete role-based model.
Use the namespaceSelector
or limitNamespaces
(deprecated) parameters in the ClusterAuthorizationRule
CR.
What if there are two ClusterAuthorizationRules matching to a single user?
Imagine that the user jane.doe@example.com
is in the administrators
group. There are two cluster authorization rules:
apiVersion: deckhouse.io/v1
kind: ClusterAuthorizationRule
metadata:
name: jane
spec:
subjects:
- kind: User
name: jane.doe@example.com
accessLevel: User
namespaceSelector:
labelSelector:
matchLabels:
env: review
---
apiVersion: deckhouse.io/v1
kind: ClusterAuthorizationRule
metadata:
name: admin
spec:
subjects:
- kind: Group
name: administrators
accessLevel: ClusterAdmin
namespaceSelector:
labelSelector:
matchExpressions:
- key: env
operator: In
values:
- prod
- stage
jane.doe@example.com
has the right to get and list any objects in the namespaces labeledenv=review
Administrators
can get, edit, list, and delete objects on the cluster level and in the namespaces labeledenv=prod
andenv=stage
.
Because Jane Doe
matches two rules, some calculations will be made:
- She will have the most powerful accessLevel across all matching rules —
ClusterAdmin
. - The
namespaceSelector
options will be combined, so that Jane will have access to all the namespaces labeled withenv
label of the following values:review
,stage
, orprod
.
Note! If there is a rule without the
namespaceSelector
option andlimitNamespaces
deprecated option, it means that all namespaces are allowed excluding system namespaces, which will affect the resulting limit namespaces calculation.