Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

You must configure kfuse to implement RBAC in your deployment. Copy the following code in your <custom_values.yaml> file and make edits as necessary.

The following sections outline the basic steps and provide examples on how to configure various components of RBAC.

To review general concepts, see Role-Based Access Control (RBAC).

Enable RBAC

To enable RBAC, add the following code to the <custom_values.yaml> file:

Line #

Code

Description

3

RBACEnabled: true

The default RBAC policy is a fully-enabled RBAC, with full access.
To change the policy, change the default in the Policy Management interface to default_rbac_policy: rbac_allow_none.
See Change a Policy.

4

rbacDefaultUserRole: Editor

The default user role for new users in KloudFuse is Editor.
Admins can change this in the UI for individual users.
See Assign Roles.

To change the default assignment for new users to Viewer, use rbacDefaultUserRole: Viewer instead.

global:
  ...
  RBACEnabled: true
  rbacDefaultUserRole: Editor

Policy Configuration

Starting with Release 2.7.2, KloudFuse DOES NOT SUPPORT policy configuration at script level.
Use the Policy Management in the Kloud Fuse Admin tab, as we describe in Policy Configuration Management.

Use following template, make changes in the <custom_values.yaml>

# user-mgmt-service:
#   config:
    # # Learn more:
    # # - "reserved" built group names (should not to be used):
    # #   "kf_admin", "kf_reader_all"
    # # - in built scope types:
    # #   scope_allow_all, scope_viewer_all, scope_allow_none
    # # - role types:
    # #   admin, editor, viewer
    # # Kloudfuse has following inbuilt RBAC policies
    # # rbac_allow_all - allows all operations for everyone
    # # rbac_allow_none - No accesss
    # # rbac_view_all - allow all READ operations for everyone
    # #
    # default_rbac_policy: rbac_allow_all
    # groups:
    # - name: group_admin
    #   users:
    #   - id_key: X-Auth-Request-Email
    #     value: admin1@company.com
    # - name: group_viewer_target_namespace
    #   users:
    #   - id_key: X-Auth-Request-Email
    #     value: op1@company.com
    # - name: group_editor_otel_namespace
    #   users:
    #   - id_key: X-Auth-Request-User
    #     value: maintainer2userid
    # rbac_policies:
    # - name: rbac_viewer_target_namespace
    #   role: viewer
    #   scope:
    #     filters:
    #     - key: kube_namespace
    #       op: =
    #       value: target
    #     type: custom
    # - name: rbac_editor_otel_namespace
    #   role: editor
    #   scope:
    #     filters:
    #     - key: kube_namespace
    #       op: =
    #       value: otel-demo-app
    #     type: custom
    # rbac_configs:
    # - group: group_admin
    #   policy: rbac_allow_all
    # - group: group_viewer_target_namespace
    #   policy: rbac_viewer_target_namespace
    # - group: group_editor_otel_namespace
    #   policy: rbac_editor_otel_namespace

Change default policy

Starting with Release 2.7.2, KloudFuse DOES NOT SUPPORT policy configuration at script level.
Use the Policy Management in the Kloud Fuse Admin tab, as we describe in Policy Configuration Management.

When RBAC is enabled, default policy allows full access. Add following to your <custom_values.yaml> to use your custom policy or remove the default policy of full access to no access.

Example: Default policy to disallow all capabilities

Note: Using “scope_allow_none” as the default policy will ensure that logged in user doesn’t have any capabilities (view data or take actions) in the system. It doesn’t restrict the user from logging in to Kloudfuse system.

  user-mgmt-service:
    config:
      # # - in built scope types:
      # # Kloudfuse has following inbuilt RBAC policies
      # # rbac_allow_all - this policy grants admin like access (View + Edit capabilities for all data scope/workflows).
      # # rbac_allow_none - this policy denies all capabilities (No data view, No edit workflow capabilities)
      # # rbac_view_all - this policy grants viewer access to all data, no edit workflow capabilities.
      # #   
      default_rbac_policy: rbac_allow_none

Example: Default policy to provide custom scope

The following example uses a custom policy called rbac_viewer_target_namespace as the default policy. Please see here to learn more about policy definition.

  user-mgmt-service:
    config:
      # # - in built scope types:
      # #   scope_allow_all -- this policy grants admin like access
      # #   scope_viewer_all -- this policy grants viewer access
      # #   scope_allow_none -- this policy denies all capabilities
      # #   
      default_rbac_policy: rbac_viewer_target_namespace

Apply changes

Starting with Release 2.7.2, KloudFuse DOES NOT SUPPORT policy configuration at script level.
Use the Policy Management in the Kloud Fuse Admin tab, as we describe in Policy Configuration Management.

After adding the desired configuration to the values.yaml file, proceed to upgrade the KloudFuse release.

  • No labels