Role-based access control (RBAC) is an approach that restricts system access to resources based on roles.
The Kublr RBAC model defines four ways to restrict access to the Kublr API.
Global scope impacts all spaces.
- GlobalRole - GlobalRoleBinding
Space scope impacts objects within given scope only.
- SpaceRole - SpaceRoleBinding
GlobalRole and SpaceRole contain rules that represent a set of permissions. All permissions are deny rules by default. A role can be defined within a space as a SpaceRole, or global as a GlobalRole.
A resource can contain a subresource. If you want to grant permissions on subresource for all resources, use
And if you need to provide permissions for all subresources in the resource, use
For example, the following role will provide a permission to get clusters information within space “develop”:
kind: SpaceRole metadata: name: ClusterReader space: develop rules: - resources: ["cluster", "cluster/*"] verbs: ["get", "list"]
In this example, the role will provide the permission to administer clusters within the space “develop”:
kind: SpaceRole metadata: name: ClusterAdmin space: develop rules: - resources: ["*"] verbs: ["*"]
The following verbs are supported:
*(all of above)
SpaceRoleBinding grants the permissions defined in a
SpaceRole to list of subjects (users or groups). A
SpaceRoleBinding may reference a
SpaceRole in the same space or a
SpaceRoleBinding grants the “ClusterReader” role to the user “Jane” within the
develop space. This allows Jane to read clusters in the
kind: SpaceRoleBinding metadata: name: ClusterReader space: develop roleRef: kind: SpaceRole name: ClusterReader subjects: - kind: User name: jane
The following roles are predefined in Kublr.
Any user in the group “KublrFullAdmins” gets all permissions. The default user is “admin”, which has the following rules:
kind: GlobalRole metadata: name: KublrFullAdmin rules: - resources: ["*"] verbs: ["*"] kind: GlobalRoleBinding metadata: name: KublrFullAdmins roleRef: kind: GlobalRole name: KublrFullAdmin subjects: - kind: Group name: KublrFullAdmins
All users can create their own spaces:
kind: GlobalRole metadata: name: KublrDefaultUser rules: - resources: ["space"] verbs: ["post", "list"] kind: GlobalRoleBinding metadata: name: KublrDefaultUsers roleRef: kind: GlobalRole name: KublrDefaultUser subjects: - kind: Group name: KublrDefaultUsers
The user who creates a new space automatically gets all the permissions in the space. For example, if the user “Jane” creates space “JaneSpace” then the following SpaceRoleBinding will be created automatically:
kind: SpaceRoleBinding metadata: name: KublrFullAdmins space: JaneSpace roleRef: kind: GlobalRole name: KublrFullAdmin subjects: - kind: User name: jane