K10 RBAC

For facilitating role-based access for K10 users, we are leveraging Kubernetes ClusterRoles and Bindings.

Default K10 ClusterRoles

Every K10 deployment comes installed with three default K10 Cluster Roles.

K10-Admin

k10-admin ClusterRole is useful for administrators who want uninterrupted access to all K10 operations.

k10-admin user is allowed to work with all K10 APIs including profiles, policies, actions, and restore points.

Note

k10-admin will be installed under the name <release_name>-admin

The following is an example of the k10-admin Cluster Role:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: k10-admin
rules:
- apiGroups:
  - config.kio.kasten.io
  - actions.kio.kasten.io
  - apps.kio.kasten.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - cr.kanister.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - list
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - delete
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - '*'

K10-Admin Binding

k10-admin ClusterRole needs ClusterRoleBinding. The admin access needs to be cluster-wide.

To bind the k10-admin use the following command

kubectl create clusterrolebinding <name> --clusterrole=k10-admin --user=<name>

K10-Basic

k10-basic ClusterRole is useful for administrators who to give some operational K10 access to users in a specific namespaces.

k10-basic user is allowed to backup and restore applications in namespaces they have access to. k10-basic also gives access to view application, actions and restore point details in their namespaces.

Note

k10-basic will be installed under the name <release_name>-basic

The following is an example of the k10-basic Cluster Role:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: k10-basic
rules:
- apiGroups:
  - actions.kio.kasten.io
  resources:
  - backupactions
  - backupactions/details
  - restoreactions
  - restoreactions/details
  verbs:
  - '*'
- apiGroups:
  - apps.kio.kasten.io
  resources:
  - restorepoints
  - restorepoints/details
  - applications
  - applications/details
  verbs:
  - '*'

K10-Basic Binding

k10-basic ClusterRole needs RoleBinding in the namespace(s) the user needs access.

To bind the k10-basic use the following command

kubectl create rolebinding k10-basic --namespace=<namespace> --clusterrole=k10-basic --user=<name>

Note

To give k10-basic user dashboard access, additional k10-dashboard-view binding is required. Make sure to bind k10-basic and k10-dashboard-view using the same user.

K10-Dashboard-View

k10-dashboard-view ClusterRole is useful for administrators who want to give K10 dashboard view access to some users.

k10-dashboard-view gives user a filtered (restricted) view of the K10 dashboard.

Note

k10-dashboard-view will be installed under the name <release_name>-dashboard-view

The following is an example of the k10-dashboard-view Cluster Role:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
  name: k10-dashboard-view
rules:
- apiGroups:
  - actions.kio.kasten.io
  resources:
  - backupactions
  - restoreactions
  - importactions
  - exportactions
  - retireactions
  verbs:
  - get
  - list
- apiGroups:
  - apps.kio.kasten.io
  resources:
  - applications
  verbs:
  - get
  - list
- apiGroups:
  - config.kio.kasten.io
  resources:
  - profiles
  - policies
  verbs:
  - get
  - list
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get

K10-Dashboard-View Binding

k10-dashboard-view ClusterRole needs ClusterRoleBinding. The dashboard view access needs to be cluster-wide.

To bind the k10-dashboard-view use the following command

kubectl create clusterrolebinding k10-dashboard-view --clusterrole=k10-dashboard-view --user=<name>