Groups represent users with the same set of permissions. When users log in, their RBAC group memberships are also evaluated. The actual set of permissions that a user will have is an aggregate of all the roles assigned to the user account and the roles for all of the groups to which the user belongs to.
A group can be assigned to a cluster or a specific namespace within a cluster. Use the Role Binding option in the Tectonic cluster to do so.
Individual users can be part of multiple groups. The individual LDAP users or groups aren't viewable on the Tectonic console. However, the roles and role bindings attached to users and groups are displayed on the individual Roles page. Editing the YAML file associated with individual role is permitted to the role with necessary rights. Creating a rule or role binding is allowed from the role detail page.
Before proceeding, ensure that the prerequisites given in the respective Identity Provider (IdP) section are met. Depending on the IdP used in the deployment, see one of the following:
Access rights are granted to a group associated with a role by using a Role Binding. Do either of the following in Tectonic Console:
Grant access rights to a user group by associating an appropriate Cluster Role with a Cluster Role Binding. Make sure that Group is selected under Subject while creating the Cluster Role Binding. Cluster Role Binding grants permissions to user group in all namespaces across the entire cluster.
namespace is omitted from the configuration because Cluster Roles are not namespaced.
In this example, a Cluster-wide Role Binding,
SFO-DC-Admin-Group is created for the default
admin role that has full control over the resources in the cluster. To verify, go to the Roles page, click
cluster-admin, then select Role Bindings. If creating this Role Binding is successful,
SFO-DC-Admin-Group will be listed under the Role Bindings associated with the
To assign a namespace user group, use one of the default Cluster or Namespace Roles, or create a new role for the selected Namespace. Bind the role to an appropriate Role Binding. Make sure that Group is selected under Subject while creating the Cluster Role Binding.
While a Cluster Role can be bound down the hierarchy to a Namespace Role Binding, a Namespace Role can't be promoted up the hierarchy to be bound to a Cluster Role Binding.
In this example, a Namespace Role Binding,
SFO-DC-Group is created for
pod-reader role that has the read access to the pods within
tectonic-system. To verify, go to the Roles page, click
pod-reader, then select Role Bindings. If creating this Role Binding is successful,
SFO-DC-Group will be listed under the Role Bindings associated with the
pod-reader role. The
Subject will be
Group, implies all the members of this group will have read access to the pods within
When removed from LDAP or SAML, users and groups are cached. Those users cannot no longer access their clusters.