RBAC: Data Access

1 Role-Based Data Access
- 1.1 Group
  - 1.1.1 User
- 1.2 RBAC Policy
- 1.3 Scope
  - 1.3.1 Type: scope_allow_all
  - 1.3.2 Type: scope_allow_none
  - 1.3.3 Type: scope_viewer_all
  - 1.3.4 Type: custom
- 1.4 RBAC Configuration

Starting with Release 2.7.2, we manage RBAC through the UI, in the KloudFuse Admin tab.
See Role-Based Access Control (RBAC).
The information on this page applies to RBAC for Release 2.7.1 and earlier.

Role-Based Data Access

As part of RBAC implementation, a user can also achieve role based data access (view). To achieve this,

kloudfuse can be configured with Groups having assigned RBAC Policy (role and the associated view/scope) and together they define the RBAC Configuration of the system. To configure the system correctly please go through the following definitions.

Group

A group is set of users (a team) who share same RBAC configuration. In other words, share the same role and scope.

    # Group name
    - name: group_editor_otel_namespace
    # List of users
      users:
      - id_key: X-Auth-Request-Email
        value: user@company.com
      - id_key: X-Auth-Request-User
        value: 123456789

User

A user is defined by a user id value. For example an email address. Kloudfuse RBAC uses the information obtained from the configured IAM during the login process. See following example of some user valid configurations.

      - id_key: X-Auth-Request-Email
        value: user@company.com

kfuse uses id keys by default. Other id keys can be added as well.

RBAC Policy

An RBAC policy is defined by a role (one of the "admin"/"editor"/"viewer") and a scope assigned to that role.

Example policy: Viewer role for a custom scope.

    # policy name
    - name: rbac_viewer_target_namespace
      # Role (one of admin/viewer/editor)
      role: viewer 
      # Custom scope giving access to data generated from kube_namespace called "target" 
      scope:
        filters:
        - key: kube_namespace
          op: =
          value: target
        type: custom

Example policy: Admin for all.

Example policy: Viewer role for a custom scope with regular expression in filter.

Scope

A scope defines what data a given user has access to. Kloudfuse platform has following inbuilt (reserved) access types.

Type: scope_allow_all

This scope allows access to all data. Typically used for users with "Admin" capabilities.

Type: scope_allow_none

Fully restricted. User will not be allowed any access.

Type: scope_viewer_all

Only read access to all data. Typically used for support operators who only needs to visualize and wouldn’t be making configuration changes.

Type: custom

Custom scopes can be used to provided limited access to data. For a scope to match all filters should match. Each filter is defined by a key, an operator (=, ~=, =~, !~) and value to match. For example, following custom scope is defining a filter which matches data such that kube_namespace="target":

RBAC Configuration

An RBAC configuration ties a given group to a given RBAC policy. Many such configurations can be configured in kfuse.