Role-based access control¶
MKE allows administrators to authorize users to view, edit, and use cluster resources by granting role-based permissions for specific resource sets.
To authorize access to cluster resources across your organization, high-level actions that MKE administrators can take include the following:
Add and configure subjects (users, teams, organizations, and service accounts).
Define custom roles (or use defaults) by adding permitted operations per resource type.
Group cluster resources into resource sets of Swarm collections or Kubernetes namespaces.
Create grants by combining subject, role, and resource set.
Note
Only administrators can manage Role-based access control (RBAC).
The following table describes the core elements used in RBAC:
Element |
Description |
---|---|
Subjects |
Subjects are granted roles that define the permitted operations for one or more resource sets and include:
|
Roles |
Roles define what operations can be done by whom. A role is a set of permitted operations for a type of resource, such as a container or volume. It is assigned to a user or a team with a grant. For example, the built-in Most organizations use multiple roles to fine-tune the appropriate access for different subjects. Users and teams may have different roles for the different resources they access. |
Resource sets |
Users can group resources into two types of resource sets to control user access: Docker Swarm collections and Kubernetes namespaces.
|
Grants |
Grants consist of a subject, role, and resource set, and define how specific users can access specific resources. All the grants of an organization taken together constitute an access control list (ACL), which is a comprehensive access policy for the organization. |
For complete information on how to configure and use role-based access control in MKE, refer to Authorize role-based access.