Version: next

Roles

This table defines which roles can access resources in which way and in which scope

Application ViewerApplication EditorApplication OwnerCluster ViewerCluster EditorCluster Owner
view applicationโœ“โœ“โœ“โœ“โœ“โœ“
create aplicationโœ“โœ“
edit applicationโœ“โœ“
delete applicationโœ“โœ“
view componentโœ“โœ“โœ“โœ“โœ“โœ“
create componentโœ“โœ“โœ“โœ“
edit componentโœ“โœ“โœ“โœ“
delete componentโœ“โœ“โœ“โœ“
delete podโœ“โœ“โœ“โœ“
view pod logsโœ“โœ“โœ“โœ“โœ“โœ“
exec in podโœ“โœ“โœ“โœ“
view routesโœ“(1)โœ“(1)โœ“(1)โœ“โœ“โœ“
create routeโœ“(1)โœ“(1)โœ“โœ“
update routeโœ“(1)โœ“(1)โœ“โœ“
delete routeโœ“(1)โœ“(1)โœ“โœ“
view servicesโœ“โœ“โœ“โœ“โœ“โœ“
view protected endpointโœ“โœ“โœ“โœ“โœ“โœ“
create protected endpointโœ“โœ“โœ“โœ“
edit protected endpointโœ“โœ“โœ“โœ“
delete protected endpointโœ“โœ“โœ“โœ“
view storage classesโœ“โœ“โœ“โœ“โœ“โœ“
view disks(pvc)โœ“โœ“โœ“โœ“โœ“โœ“
delete disk(pv)โœ“โœ“
view https certsโœ“โœ“โœ“
create/upload https certsโœ“โœ“
edit uploaded https certsโœ“โœ“
delete https certsโœ“โœ“
view pvsโœ“โœ“โœ“
view registriesโœ“โœ“โœ“โœ“โœ“
create registryโœ“โœ“
edit registryโœ“โœ“
delete registryโœ“โœ“
view nodesโœ“โœ“โœ“
cordon nodesโœ“โœ“
uncordon nodesโœ“โœ“
view logging systemsโœ“โœ“โœ“
create logging systemโœ“โœ“
update logging systemโœ“โœ“
delete logging systemโœ“โœ“
view cluster infoโœ“(2)โœ“(2)โœ“(2)โœ“โœ“โœ“
initialize clusterโœ“
reset clusterโœ“
view sso configโœ“(3)โœ“โœ“
create sso configโœ“โœ“
edit sso configโœ“โœ“
delete sso configโœ“โœ“
view access tokenโœ“(4)โœ“(4)โœ“(4)โœ“
create access tokenโœ“(4)โœ“(4)โœ“(4)โœ“
edit access tokenโœ“(4)โœ“(4)โœ“(4)โœ“
delete access tokenโœ“(4)โœ“(4)โœ“(4)โœ“
view users rolesโœ“โœ“โœ“
grant/revoke user rolesโœ“(5)โœ“(5)โœ“
  1. HttpRoute targes can cross applications. A httpRoute is visible to a user only when the user has view permission for all targets. The same for edit permissions.
  2. Ingress IP and Ingress hostname are not visible by application roles.
  3. No api/secret informations
  4. A user can view/edit a access token only if the user's permissions is greater or equal than the access token.
  5. Cluster editor can grant/revoke application user roles, but not cluster level. Application owner can grant/revoke user roles under the same application.
note

If the user identity is valid, the list api will not return 401, but will hide all items that are not authorized. But other api will return 401 if the request resource is not authorized.

How to create role binding

Via dashboard

note

Working in progress

Via kubectl

note

Working in progress

Last updated on by david