Kommander DocumentationBefore you begin
This procedure requires the following configurations and background:
- A Konvoy cluster with Kommander installed.
- An Identity Provider has been created.
- Some familiarity with Kubernetes role-based access control principles.
- 4 configured groups in Kommander
Create Role-Based Access Control Personas
Manage access to resources on Kubernetes clusters through the RBAC API. The base premise revolves around assigning users to groups, which are then associated with roles that control their level of access through role bindings. This procedure describes how a cluster administrator can assign different levels of access to Kubernetes and Kommander resources in the Kommander UI.
Kommander has three levels of access control to support global, workspace, and project use cases. Kommander creates default roles at all three levels to simplify the process of assigning users to different levels of access to resources.
In this procedure, using these default roles, you will create four different personas with users assigned to them:
- Global admin: these users can administer all Kubernetes and Kommander resources on the management cluster and all target clusters.
- Global viewer: these users have read-only viewing access to all Kubernetes and Kommander resources on the management cluster and all target clusters.
- Workspace admin: these users can administer the workspaces they have specifically been given access to.
- Workspace viewer: these users can access the workspaces they specifically have access to, in a read-only capacity.
If you have not done so already, create a group to represent each of the personas. For more details on groups, see the Identity Providers page and the Identity Provider tutorial.
Federation of personas
Personas created in a workspace will get federated in all attached clusters. This means that policies created in a workspace will result in federatedclusterrolebindings objects in the Kommander cluster and the federation of clusterrolebindings objects in the attached clusters binding a group to specific roles.
Grant access to personas
You have already assigned users to groups that represent the four different personas. You must now change resource access levels for each persona, and associate roles with the groups using policies.
Global Admin persona
The Global Admin persona should have admin access to all resources on the management cluster and all target clusters in all workspaces.
This persona has these roles:
- Cluster Admin Role: a
ClusterRolethat applies to all target clusters in all workspaces. - Kommander Global Admin Role: a
ClusterRoleapplies to the management cluster.
Users in groups bound to these roles will have admin rights across all clusters managed on Kommander, including the management cluster.
Using the Kommander UI
In the Kommander UI, do the following:
- Select Global in the header drop-down.
- Select Administration > Access Control.
- Select the Cluster Roles tab. Kommander creates several default roles. Select the Cluster Admin Role and Kommander Global Admin Role for this persona.
- Select the Cluster Policies tab and add these two roles to the Global Admin group.
You have now created role bindings that associate the Global Admin group with these two roles. These roles ensure the users in the Global Admin group have admin access to the management cluster and all target clusters.
Using kubectl
Assuming you have kubectl attached to your Kommander cluster and you have a VirtualGroup named global-admin. Apply these two VirtualGroupKommanderClusterRoleBinding to link the group to roles:
apiVersion: workspaces.kommander.mesosphere.io/v1alpha1
kind: VirtualGroupKommanderClusterRoleBinding
metadata:
name: global-admin-cluster-role-binding
spec:
clusterRoleRef:
name: cluster-admin
virtualGroupRef:
name: global-admin
---
apiVersion: workspaces.kommander.mesosphere.io/v1alpha1
kind: VirtualGroupKommanderClusterRoleBinding
metadata:
name: global-admin-kommander-role-binding
spec:
clusterRoleRef:
name: kommander-global-admin
virtualGroupRef:
name: global-admin
Global Viewer persona
The Global Viewer persona should have read-only access to all resources on the management cluster and all target clusters.
This persona has the follow cluster roles:
- View Role: a
ClusterRoleapplies to all target clusters in all workspaces. - Global Kommander View Role: a
ClusterRoleapplies to the management cluster.
Using the Kommander UI
In the Kommander UI, do the following:
- Select Global in the header drop-down.
- Select Administration > Access Control.
- Select the Cluster Roles tab. Kommander creates several default roles. Select View Role and Global Kommander View Role for this persona.
- Select the Cluster Policies tab and add these two roles to the Global Viewer group.
You have now created role bindings that associate the Global Viewer group with these two roles. These roles ensure that the users in the Global Viewer group have read-only access to the management cluster and all target clusters.
Using kubectl
Assuming you have kubectl on your Kommander cluster and you have a VirtualGroup named global-viewer. You can apply these two VirtualGroupKommanderClusterRoleBinding to link the group to roles:
apiVersion: workspaces.kommander.mesosphere.io/v1alpha1
kind: VirtualGroupKommanderClusterRoleBinding
metadata:
name: workspace-admin-cluster-role-binding
spec:
clusterRoleRef:
name: view
virtualGroupRef:
name: workspace-admin
---
apiVersion: workspaces.kommander.mesosphere.io/v1alpha1
kind: VirtualGroupKommanderClusterRoleBinding
metadata:
name: workspace-admin-kommander-role-binding
spec:
clusterRoleRef:
name: kommander-global-view
virtualGroupRef:
name: workspace-admin
Workspace Admin persona
The Workspace Admin persona should have admin access to the Default Workspace. This allows users to administer all namespaced resources in the workspace namespace on the management cluster and all cluster resources on the workspace’s target clusters.
This persona has the following roles:
- Workspace Admin Role: a
WorkspaceRolethat applies to all target clusters in all workspaces - Kommander Workspace Admin Role: a
KommanderWorkspaceRolethat applies to the management cluster. This role grants admin access to the workspace namespace on the management cluster. When aVirtualGroupKommanderWorkspaceRoleBindingwith this role gets created, aClusterRoleandVirtualGroupKommanderClusterRoleBindingautomatically create at the global level to allow access to this workspace specifically, instead of all workspaces.
Using the Kommander UI
In the Kommander UI, do the following:
- Select Global in the header drop-down.
- Select Administration > Access Control.
- Select the Cluster Roles tab. This persona has these roles: Workspace Admin Role and Kommander Workspace Admin Role.
- Select the Cluster Policies tab and assign these two roles to the Workspace Admin group.
Using kubectl
Assuming you have kubectl on to your Kommander cluster and a VirtualGroup named `workspace-admin, you can apply this template to link the group to roles:
apiVersion: workspaces.kommander.mesosphere.io/v1alpha1
kind: VirtualGroupWorkspaceRoleBinding
metadata:
name: workspace-admin-role-binding
namespace: <namespace-of-workspacerole-workspace-admin>
spec:
workspaceRoleRef:
name: workspace-admin
virtualGroupRef:
name: workspace-admin
---
apiVersion: workspaces.kommander.mesosphere.io/v1alpha1
kind: VirtualGroupKommanderWorkspaceRoleBinding
metadata:
name: workspace-admin-kommander-role-binding
namespace: <namespace-of-kommanderworkspacerole-kommander-workspace-admin>
spec:
kommanderWorkspaceRoleRef:
name: kommander-workspace-admin
virtualGroupRef:
name: workspace-admin
Workspace Viewer persona
The Workspace Viewer persona grants users in a specific group read access to the Default Workspace. Users in the group can view all namespaced resources in the workspace namespace on the management cluster and all cluster resources on the workspace’s target clusters.
This persona has the following roles:
- Workspace View Role: a
WorkspaceRolethat applies to all target clusters in all workspaces - Kommander Workspace View Role: a
KommanderWorkspaceRolethat applies to the management cluster. This role grants read access to the workspace namespace on the management cluster. When aVirtualGroupKommanderWorkspaceRoleBindingwith this role gets created, aClusterRoleandVirtualGroupKommanderClusterRoleBindingcreates automatically at the global level to allow access to this workspace specifically, instead of all workspaces.
Using the Kommander UI
In the Kommander UI, do the following:
- Select Global in the header drop-down.
- Select Administration > Access Control.
- Select the Cluster Roles tab. This persona has the following roles: Workspace View Role and Kommander Workspace View Role.
- Select the Cluster Policies tab and assign these two roles to the Workspace Viewer group.
Using kubectl
Assuming you have kubectl on your Kommander cluster and a VirtualGroup named workspace-viewer, you can apply this template to link the group to roles:
apiVersion: workspaces.kommander.mesosphere.io/v1alpha1
kind: VirtualGroupWorkspaceRoleBinding
metadata:
name: workspace-viewer-role-binding
namespace: <namespace-of-workspacerole-workspace-view>
spec:
workspaceRoleRef:
name: workspace-view
virtualGroupRef:
name: workspace-viewer
---
apiVersion: workspaces.kommander.mesosphere.io/v1alpha1
kind: VirtualGroupKommanderWorkspaceRoleBinding
metadata:
name: workspace-viewer-kommander-role-binding
namespace: <namespace-of-kommanderworkspacerole-kommander-workspace-view>
spec:
kommanderWorkspaceRoleRef:
name: kommander-workspace-view
virtualGroupRef:
name: workspace-viewer
Custom personas
You have customized the access level of the four examples using default roles provided by Kommander. You can extend the same process to use any custom configured roles as well by:
- Creating a group with users to represent a persona.
- Selecting roles that represent that persona’s level of access.
- Creating policies that bind roles to groups.