RBAC πŸ›‚

Introduction

Komodor allows assigning users with Roles to control their access and permissions (such as what data they can read or which resources they can modify).

Komodor Roles

Roles are built from one or more policies.

Built-in Roles

  • account-admin - has full permissions on the account
  • viewer - has access to view all resources on the account
  • developer - has access to view all resources and perform the following basic actions:
    "delete:pod",
    "scale:deployment",
    "scale:statefulset",
    "restart:deployment",
    "restart:statefulset",
    "rerun:job"

Learn more about actions

Please note - The built-in account-admin role and policy cannot be modified, there has to be at-least one account-admin on the account, the last account-admin cannot be removed or provided with a different role.

Temporary Roles

Temporary roles are role attachments with an expiration date. When the expiration date is reached. roles are automatically detached from the user. 

An example use-case for temporary roles can be access to an on-call role which grants permissions on a wider scope, or a short-lived access required for a specific project.

To attach a temporary role to a user:

  • Access the settings page
  • Go to the Users tab
  • For the specific user, Click the Edit button
  • Click Save

Komodor Policies

Policies define a set of actions & resources they can performed at.

A policy is built from a statement, formatted as follows:

[   
    {
        "actions": [],
        "resources": []
    },
    {
        "actions": [],
        "resources": []        
    }
]

 

Please note: The creation of Multi Statement Policies is not supported within Komodor, but the functionality can be achieved by creating multiple single-statement Policy resources and adding these to a single Role - a Role can have multiple policies.

Actions

A list of allowed actions, formatted as follows:
action:supported-resource-type

List of the supported combinations:

Action Supported Resource Types
view * (all)
edit * (all), deployment, statefulset, daemonset, replicaset, jobs, cronjob, configmap, secret, service, ingress
delete * (all), deployment, statefulset, daemonset, replicaset, jobs, cronjob, pvc, pv, storageclasse, secret, service, ingress
scale deployment, statefulset
restart deployment, statefulset, daemonset
manage users, monitors, integrations
run cronjob
rerun job
exec pod

Please note:

  • view:all permission is required in any policy to allow viewing anything in Komodor, you can limit the allowed access using the Resources clause
  • manage permissions cannot be scoped, once provided the user will have access to manage all resources of the provided category
  • Only account-admins or users with manage:users permission can see the Roles & Policies pages under in the settings section

Resources

A list of resources, formatted as follows:

{
    "cluster": "*",
    "namespaces": []
}

The cluster clause supports specifying a specific cluster or "*" (any).
The namespaces clause is optional and allows specifying a list of one or more namespaces.

Policy Examples

1 - The following policy allows performing the following actions on resources running in the kube-system namespaces on all clusters and on namespaces brain and k8s-watcher on the cluster named main
- Deletion of Pods
- Scaling all supported resource types
- Restarting all supported resource types

[
    {
        "actions": [
            "view:all"
            "delete:pod",
            "scale:deployment",
            "restart:deployment",
        ],
        "resources": [
            {
                "cluster": "main",
                "namespaces": [
                "brain",
                "k8s-watcher"
                ]
            },
            {
                "cluster": "*",
                "namespaces": [
                "kube-system"
                ]
            }
        ]
    }
]

2 - The following policy allows viewing all resources and managing all Komodor configurations for all clusters

[
    {
        "actions": [
            "view:all"
            "manage:monitors"
        ],
        "resources": [
            {
                "cluster": "*",
            }
        ]
    }
]

Policy Creation

You can easily create new policies using the Komodor platform

  1. Access the settings page
    settings.png
  2. Go to the Policies page
    policies.png
  3. Add policy
    You will now enter a policy creation wizard, you can easily manage your policies with it policy-wizard.png
  4. Create a role associated with this policy
    createrole.png
  5. Associate the role to an existing/new user/s
    adduser.png

Permissive or Restrictive?

In Komodor, policies within a role are additive. If you add multiple policies to a role, we aggregate all the roles.

Because we only have β€˜allow’ permissions, more roles effectively means more permissive.

Was this article helpful?

0 out of 1 found this helpful

Comments

2 comments

  • Comment author
    Logan Kampsnider

    It would be useful to include in this documentation what would happen if you combined multiple statements in a policy, if the statements are evaluated top-down, with the first matching taking effect, or if the entire policy is evaluated for least privilege.

    0
  • Comment author
    Tom

    Hi Logan, Thanks for sharing!
    We've escalated this feedback to the PM team responsible and we'll be sure to make changes where appropriate.Β 
    Thanks!

    0

Please sign in to leave a comment.