We are bringing the best of Tectonic to Red Hat OpenShift to build the most secure, hybrid Kubernetes application platform.
Tectonic Identity uses Kubernetes' integrated Role-Based Access Control (RBAC) to manage user roles and permissions within Tectonic clusters.
Use Tectonic Console to define Roles which grant a set of permissions to Accounts through Role Bindings.
By default, Tectonic offers three account types, and two Role and Role Binding types:
Account types:
Role types:
Role Binding types:
A Role Binding can reference both Roles and Cluster Roles to grant permissions to resources. This allows administrators to define a set of common Roles for the entire cluster, then reuse them within multiple namespaces.
For example, creating a Role Binding in the dev
namespace that binds a user to the edit
Cluster Role won't have any impact outside of the dev
namespace, even though it references a Cluster Role.
An attempt to access a resource or perform a command not allowed by the user's defined permissions will be rejected by the API server.
For more information on User Authentication and access management, see Creating Accounts, and Creating Roles.
RBAC may be configured using Tectonic Console or kubectl. The following example creates two YAML files to define a Role and a Role Binding for user Jane Doe, which grants her basic access to the cluster.
support-readonly
that can run commands get
, logs
, list
, and watch
for namespaces and pods:apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: support-readonly
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- namespaces
- namespaces/finalize
- namespaces/status
- pods
verbs:
- get
- logs
- list
- watch
jane.doe
's group tstgrp
:kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: support-reader
namespace: kube-system
subjects:
- kind: Group
name: tstgrp
roleRef:
kind: ClusterRole
name: support-readonly
apiGroup: rbac.authorization.k8s.io
Tectonic Console and kubectl
now reflect the updated role and binding: