RBAC Authorization

Role-based access control (RBAC) is an approach that restricts system access to resources based on roles.

Overview

The Kublr RBAC model defines four ways to restrict access to the Kublr API.

Global Scope

Global scope impacts all spaces.

- GlobalRole
- GlobalRoleBinding

Space Scope

Space scope impacts objects within given scope only.

- SpaceRole
- SpaceRoleBinding

GlobalRole and SpaceRole

GlobalRole and SpaceRole contain rules that represent a set of permissions. All permissions are deny rules by default. A role can be defined within a space as a SpaceRole, or global as a GlobalRole.

A resource can contain a subresource. If you want to grant permissions on subresource for all resources, use */subresource. And if you need to provide permissions for all subresources in the resource, use resource/*

For example, the following role will provide a permission to get clusters information within space “develop”:

kind: SpaceRole
metadata:
  name: ClusterReader
  space: develop
rules:
- resources: ["cluster", "cluster/*"]
  verbs: ["get", "list"]

In this example, the role will provide the permission to administer clusters within the space “develop”:

kind: SpaceRole
metadata:
  name: ClusterAdmin
  space: develop
rules:
- resources: ["*"]
  verbs: ["*"]

The following verbs are supported:

  • list (get list of objects)
  • get (get object itself)
  • post (create)
  • put (update)
  • delete (delete object)
  • * (all of above)

Global resource/subresource:

  • globalrole
  • globalrolebinding
  • space
  • * (all resources)

Spaced resource/subresource:

  • cluster
    • cluster/applications
    • cluster/register
    • cluster/deregister
    • cluster/install.sh
    • cluster/bundle.sh
    • cluster/remove.sh
  • secret
    • secret/test
  • backup
  • backupconfiguration
  • event
  • spacerole
  • spacerolebinding
  • *

GlobalRoleBinding and SpaceRoleBinding

A SpaceRoleBinding grants the permissions defined in a SpaceRole to list of subjects (users or groups). A SpaceRoleBinding may reference a SpaceRole in the same space or a GlobalRole.

The following SpaceRoleBinding grants the “ClusterReader” role to the user “Jane” within the develop space. This allows Jane to read clusters in the develop namespace.

kind: SpaceRoleBinding
metadata:
  name: ClusterReader
  space: develop
roleRef:
  kind: SpaceRole
  name: ClusterReader
subjects:
- kind: User
  name: jane

Predefined Roles

The following roles are predefined in Kublr.

Any user in the group “KublrFullAdmins” gets all permissions. The default user is “admin”, which has the following rules:

kind: GlobalRole
metadata:
  name: KublrFullAdmin
rules:
- resources: ["*"]
  verbs: ["*"]

kind: GlobalRoleBinding
metadata:
  name: KublrFullAdmins
roleRef:
  kind: GlobalRole
  name: KublrFullAdmin
subjects:
- kind: Group
  name: KublrFullAdmins     

All users can create their own spaces:

kind: GlobalRole
metadata:
  name: KublrDefaultUser
rules:
- resources: ["space"]
  verbs: ["post", "list"]  

kind: GlobalRoleBinding
metadata:
  name: KublrDefaultUsers
roleRef:
  kind: GlobalRole
  name: KublrDefaultUser
subjects:
- kind: Group
  name: KublrDefaultUsers

The user who creates a new space automatically gets all the permissions in the space. For example, if the user “Jane” creates space “JaneSpace” then the following SpaceRoleBinding will be created automatically:

kind: SpaceRoleBinding
metadata:
  name: KublrFullAdmins
  space: JaneSpace
roleRef:
  kind: GlobalRole
  name: KublrFullAdmin
subjects:
- kind: User
  name: jane

Questions? Suggestions? Need help? Contact us.