Role-Based Data Access
As part of RBAC implementation, a user can also achieve role based data access (view). To achieve this,
kloudfuse can be configured with Groups having assigned RBAC Policy (role and the associated view/scope) and together they define the RBAC Configuration of the system. To configure the system correctly please go through the following definitions.
Group
A group is set of users (a team) who share same RBAC configuration. In other words, share the same role and scope.
# Group name - name: group_editor_otel_namespace # List of users users: - id_key: X-Auth-Request-Email value: user@company.com - id_key: X-Auth-Request-User value: 123456789
User
A user is defined by a user id value. For example an email address. Kloudfuse RBAC uses the information obtained from the configured IAM during the login process. See following example of some user valid configurations.
- id_key: X-Auth-Request-Email value: user@company.com
kfuse uses id keys by default. Other id keys can be added as well.
RBAC Policy
An RBAC policy is defined by a role (one of the "admin"/"editor"/"viewer")
and a scope assigned to that role.
Example policy: Viewer role for a custom scope.
# policy name - name: rbac_viewer_target_namespace # Role (one of admin/viewer/editor) role: viewer # Custom scope giving access to data generated from kube_namespace called "target" scope: filters: - key: kube_namespace op: = value: target type: custom
Example policy: Admin for all.
# policy name - name: rbac_admin_all # Role (one of admin/viewer/editor) role: admin # using inbuilt scope "all" scope: type: all
Example policy: Viewer role for a custom scope with regular expression in filter.
# policy name - name: rbac_viewer_target_namespace # Role (one of admin/viewer/editor) role: viewer # Custom scope giving access to data generated from kube_namespace called "target" scope: filters: - key: kube_namespace op: =~ value: dev-.* type: custom
Scope
A scope defines what data a given user has access to. Kloudfuse platform has following inbuilt (reserved) access types.
Type: scope_allow_all
This scope allows access to all data. Typically used for users with "Admin"
capabilities.
Type: scope_allow_none
Fully restricted. User will not be allowed any access.
Type: scope_viewer_all
Only read access to all data. Typically used for support operators who only needs to visualize and wouldn’t be making configuration changes.
Type: custom
Custom scopes can be used to provided limited access to data. For a scope to match all filters should match. Each filter is defined by a key
, an operator (=
, ~=
, =~
, !~
) and value
to match. For example, following custom scope is defining a filter which matches data such that kube_namespace="target"
:
scope: type: custom filters: - key: kube_namespace op: = value: target
RBAC Configuration
An RBAC configuration ties a given group to a given RBAC policy. Many such configurations can be configured in kfuse.
rbac_configs: - group: group_editor_otel_namespace policy: rbac_editor_otel_namespace - group: group_viewer_target_namespace policy: rbac_viewer_target_namespace