AuthorizationRule
Scope: Namespaced
Version: v1alpha1
Manages RBAC and authorization settings within a particular namespace.
The
AuthorizationRuleresource is used in the current role-based model and isn’t used in the experimental role model.
- object
Required value
- string
Access level:
User— has access to information about all objects (including viewing pod logs) but cannot exec into containers, read secrets, and perform port-forwarding;PrivilegedUser— the same asUser+ can exec into containers, read secrets, and delete pods (and thus, restart them);Editor— is the same asPrivilegedUser+ can create and edit all objects that are usually required for application tasks;Admin— the same asEditor+ can delete service objects (auxiliary resources such asReplicaSet,certmanager.k8s.io/challengesandcertmanager.k8s.io/orders);
Allowed values:
User,PrivilegedUser,Editor,AdminExample:
accessLevel: PrivilegedUser - boolean
Defines if scaling of Deployments and StatefulSets is allowed/not allowed.
Default:
false - boolean
Allow/disallow the user to do
port-forwarding.Default:
false - array of objects
Required value
Users and/or groups to grant privileges.
Pay attention to the following nuances if this module is used together with the user-authn module:
- Use the user’s
emailas the username to grant privileges to the specific user; - When specifying a group, make sure that the necessary groups are allowed to be received from the provider, i.e., they are defined in the corresponding custom resource DexProvider.
- string
Required value
Type of user identification resource.
Allowed values:
User,Group,ServiceAccountExample:
kind: Group - string
Required value
Resource name.
Example:
name: some-group-name - string
ServiceAccount namespace.
Pattern:
[a-z0-9]([-a-z0-9]*[a-z0-9])?Length:
1..63
- Use the user’s