Versions Compared

Version Old Version 6 New Version 7
Changes made by

Abhishek Chaturvedi (Unlicensed)

Abhishek Chaturvedi (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Configure kfuse for implementing RBAC in your deployment. Copy the following code in your <custom_values.yaml> file and make edits as necessary. Please look through the comments for example and. To learn more review the concepts.

Enable RBAC

To enable RBAC, add following in the <custom_values.yaml> Default RBAC policy when RBAC is enabled allows full access. Be sure to change default policy.

Code Block
global:
  ...
  RBACEnabled: true

Policy Configuration

Use following template, make changes in the <custom_values.yaml>

Code Block
# user-mgmt-service:
#   config:
    # # Learn more:
    # # - "reserved" built group names (should not to be used):
    # #   "kf_admin", "kf_reader_all"
    # # - in built scope types:
    # #   scope_allow_all, scope_viewer_all, scope_allow_none
    # # - role types:
    # #   admin, editor, viewer
    # #
    # default_rbac_policy: rbac_allow_all
    # groups:
    # - name: group_admin
    #   users:
    #   - id_key: X-Auth-Request-Email
    #     value: admin1@company.com
    # - name: group_viewer_target_namespace
    #   users:
    #   - id_key: X-Auth-Request-Email
    #     value: op1@company.com
    # - name: group_editor_otel_namespace
    #   users:
    #   - id_key: X-Auth-Request-User
    #     value: maintainer2userid
    # rbac_policies:
    # - name: rbac_viewer_target_namespace
    #   role: viewer
    #   scope:
    #     filters:
    #     - key: kube_namespace
    #       op: =
    #       value: target
    #     type: custom
    # - name: rbac_editor_otel_namespace
    #   role: editor
    #   scope:
    #     filters:
    #     - key: kube_namespace
    #       op: =
    #       value: otel-demo-app
    #     type: custom
    # rbac_configs:
    # - group: group_admin
    #   policy: scope_allow_all
    # - group: group_viewer_target_namespace
    #   policy: rbac_viewer_target_namespace
    # - group: group_editor_otel_namespace
    #   policy: rbac_editor_otel_namespace

...

Change default policy
When RBAC is enabled, default policy allows full access. Add following to your <custom_values.yaml> to use your custom policy or remove the default policy of full access to no access.
 Code Block
  user-mgmt-service:
    config:
    # # - in built scope types:
    # #   scope_allow_all, scope_viewer_all, scope_allow_none
    # #
    default_rbac_policy: ""
Apply changes
After updating the values.yaml file with the desired configuration, upgrade the kfuse release.
...