Skip to content

Authorization

Authorization Overview

For a comprehensive explanation of how Kubernetes authorizes user actions, please refer to the official Kubernetes documentation: Authorization.

SCK uses Role-Based Access Control (RBAC) for user authorization.

Role-Based Access Control

If you are new to RBAC, you might want to read the official Kubernetes documentation first: Using RBAC Authorization.

As mentioned in the Kubernetes Service Portal documentation, members of your KKP project might have different roles assigned:

  • Owner: Full access, allows all actions, also able to remove other owners and groups from the project.
  • Editor: Write access and management of clusters, nodes and SSH keys.
  • Viewer: Read-only access, can only view existing resources.

These KKP roles decide what actions a KKP project member is authorized to perform via the KKP Dashboard (for example managing MachineDeployments for a cluster). However, when interacting with your Kubernetes clusters programmatically using tools like kubectl, an authenticated user will be authorized (or not) according to the cluster-specific RBAC table. Only project owners and editors can see the RBAC tab at the bottom of the cluster page. There they can assign roles to Kubernetes users.

Roles can be either namespaced or cluster-wide meaning you either grant permissions on specific namespaces or on the whole cluster by creating bindings. There are predefined roles to choose from. Please find their descriptions in the KKP documentation.

To assign a role to a user navigate to the Resources > Clusters tab, and select your cluster from the list. Select the RBAC tab at the bottom of the page and select User from the dropdown just below. Then click Add Binding. In the popup window, choose between a Cluster or Namespace binding, enter User Email and select a Role from the dropdown. Then click Add Binding. Similarly, you can add bindings to Kubernetes service accounts – just select ServiceAccount instead of User from the dropdown in the RBAC table.

Note

The RBAC table dropdown allows you to select Group instead of ServiceAccount or User. Please ignore this option – it is not supported.

Important

If you create a cluster using the KKP Dashboard, your user will automatically be assigned cluster-admin role for that cluster. In other cases, you will need to have an appropriate role explicitly assigned to be authorized to perform actions on the cluster programmatically.