RBAC in Platform9 Managed Kubernetes

Role-based Access Control (RBAC) is enabled, by default, on all Platform9 Managed Kubernetes clusters.

Kubernetes RBAC Privileges for Keystone Roles

A user that has the admin role on a Keystone project, has complete access to all Kubernetes clusters in the project.

A user with the admin role has the permissions to do the following.

  • Create relevant RBAC roles and role bindings for any user or group for any cluster in the project with Kubernetes APIs.
  • Create additional groups and assign role binding to the group.

All users who have member role for a Keystone project are part of the ssu_users group. To grant common permissions to all users, an admin user can grant the required permissions to the ssu_users group.

For existing apps and workloads to continue to work, make sure to add appropriate RBAC permissions for the service accounts being used for the apps.

Refer to Kubernetes RBAC documentation for details on Kubernetes RBAC Authorization APIs.

All users have the permissions to do the following.

  • Proxy into the API server, which allows the users to open dashboard from Platform9 Clarity UI and to open web CLI from Platform9 Clarity UI.
  • List all namespaces (strictly read only), which allows the users to use dashboard and App Catalog by selecting the namespace they have access to.