Permissions#
Permissions specify which interactions are allowed within the cluster. Once created, these permissions can be bound to a team or organization in order to apply them to the users or groups within the team or organization.
A number of default user-facing permissions are provided within MKE 4k, offering common sets with which you can set up a cluster quickly and securely. In addition, you can create your own custom permissions.
Default permissions#
The permissions that make up the MKE 4k default permissions can be applied directly to particular roles that are used create custom permissions.
| Permission | Description |
|---|---|
cluster-admin |
Enables super user access to perform an action on the cluster. |
admin |
Enables admin access within a namespace. |
edit |
Enables read/write access to most objects within a namespace. |
view |
Enables read-only access that allows you to see more objects within a namespace. |
For detail on the default permissions that Kubernetes offers, refer to the official Kubernetes documentation Using RBAC Authorization: User--facing roles.
Custom permissions#
MKE 4k admins can create custom permissions that are fine-tuned for a precise set of needs. Such permissions can consist of other permissions or individual rules on a per object and per permission basis. You can set the scope of custom permissions, configuring them to apply to the entire cluster or to a specific namespace within the cluster.
To create custom permissions:
You generate custom permissions by creating a Kubernetes ClusterRole or
Kubernetes Role object, which you can do either through the command line or
by way of the MKE 4k Dashboard.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]