We are bringing the best of Tectonic to Red Hat OpenShift to build the most secure, hybrid Kubernetes application platform.
An individual user can be assigned to a cluster or to a specific namespace within a cluster. Users have permissions on resources within their cluster or namespace as defined in the Role.
Before proceeding, ensure that the prerequisites given in the respective Identity Provider (IdP) section are met. Depending on the IdP used in the deployment, see one of the following:
Access rights are granted to a user associated with a role by using a Role Binding. Do either of the following in Tectonic Console:
user
.Grant access rights to a user by associating an appropriate Cluster Role with a Cluster Role Binding. Cluster Role Binding grants permissions to users in all namespaces across the entire cluster. namespace
is omitted from the configuration because Cluster Roles are not namespaced.
Select a Role Name from the drop-down.
If you have navigated from the Roles page, the name of the selected Role will be displayed. For information on Roles, see Default Roles in Tectonic.
In this example, a Cluster Role Binding, SFO-DC-User
is created for the default user
role. user
has access to all common objects within a cluster, but is prevented from changing the RBAC policies. To verify, go to the Roles page, click user
, then select Role Bindings. If creating this Cluster Role Binding is successful, SFO-DC-User
will be listed under the Role Bindings associated with the user
role.
To assign a namespace user, use one of the default Cluster or Namespace Roles, or create a new role for the selected Namespace. Bind the role to an appropriate Role Binding.
While a Cluster Role can be bound down the hierarchy to a Namespace Role Binding, a Namespace Role can't be promoted up the hierarchy to be bound to a Cluster Role Binding.
Select a Role Name from the drop-down.
If you have navigated from the Roles page, name of the selected Role will be displayed, as given in the image below. For information on Roles, see Default Roles in Tectonic.
In this example, a Namespace Role Binding, SFO-DOC-Pod
is created for the pod-reader
role that has read access over the pods in the tectonic-system
. To verify, go to the Roles page, click pod-reader
, then select Role Bindings. If creating this Role Binding is successful, SFO-DOC-Pod
will be listed under the Role Bindings associated with the pod-reader
role.