Introduction
Komodor allows assigning users with Roles to control their access and permissions (such as what data they can read or which resources they can modify).
Komodor Roles
Roles are built from one or more policies.
Built-in Roles
- account-admin - has full permissions on the account
- viewer - has access to view all resources on the account
- developer - has access to view all resources and perform the following basic actions:
"delete:pod",
"scale:deployment",
"scale:statefulset",
"restart:deployment",
"restart:statefulset",
"rerun:job"
Learn more about actions
Please note - The built-in account-admin role and policy cannot be modified, there has to be at-least one account-admin on the account, the last account-admin cannot be removed or provided with a different role.
Temporary Roles
Temporary roles are role attachments with an expiration date. When the expiration date is reached. roles are automatically detached from the user.
An example use-case for temporary roles can be access to an on-call role which grants permissions on a wider scope, or a short-lived access required for a specific project.
To attach a temporary role to a user:
- Access the settings page
- Go to the Users tab
- For the specific user, Click the Edit button
- Click Save
Komodor Policies
Policies define a set of actions & resources they can performed at.
A policy is built from a statement, formatted as follows:
[
{
"actions": [],
"resources": []
},
{
"actions": [],
"resources": []
}
]
Please note: The creation of Multi Statement Policies is not supported within Komodor, but the functionality can be achieved by creating multiple single-statement Policy resources and adding these to a single Role - a Role can have multiple policies.
Actions
A list of allowed actions, formatted as follows:action:supported-resource-type
List of the supported combinations:
Action | Supported Resource Types |
---|---|
view | * (all) |
edit | * (all), deployment, statefulset, daemonset, replicaset, jobs, cronjob, configmap, secret, service, ingress |
delete | * (all), deployment, statefulset, daemonset, replicaset, jobs, cronjob, pvc, pv, storageclasse, secret, service, ingress |
scale | deployment, statefulset |
restart | deployment, statefulset, daemonset |
manage | users, monitors, integrations |
run | cronjob |
rerun | job |
exec | pod |
Please note:
-
view:all
permission is required in any policy to allow viewing anything in Komodor, you can limit the allowed access using the Resources clause -
manage
permissions cannot be scoped, once provided the user will have access to manage all resources of the provided category - Only
account-admin
s or users withmanage:users
permission can see the Roles & Policies pages under in the settings section
Resources
A list of resources, formatted as follows:
{
"cluster": "*",
"namespaces": []
}
The cluster clause supports specifying a specific cluster or "*" (any).
The namespaces clause is optional and allows specifying a list of one or more namespaces.
Policy Examples
1 - The following policy allows performing the following actions on resources running in the kube-system namespaces on all clusters and on namespaces brain and k8s-watcher on the cluster named main
- Deletion of Pods
- Scaling all supported resource types
- Restarting all supported resource types
[
{
"actions": [
"view:all"
"delete:pod",
"scale:deployment",
"restart:deployment",
],
"resources": [
{
"cluster": "main",
"namespaces": [
"brain",
"k8s-watcher"
]
},
{
"cluster": "*",
"namespaces": [
"kube-system"
]
}
]
}
]
2 - The following policy allows viewing all resources and managing all Komodor configurations for all clusters
[
{
"actions": [
"view:all"
"manage:monitors"
],
"resources": [
{
"cluster": "*",
}
]
}
]
Policy Creation
You can easily create new policies using the Komodor platform
- Access the settings page
- Go to the Policies page
- Add policy
You will now enter a policy creation wizard, you can easily manage your policies with it - Create a role associated with this policy
- Associate the role to an existing/new user/s
Permissive or Restrictive?
In Komodor, policies within a role are additive. If you add multiple policies to a role, we aggregate all the roles.
Because we only have βallowβ permissions, more roles effectively means more permissive.
Comments
2 comments
It would be useful to include in this documentation what would happen if you combined multiple statements in a policy, if the statements are evaluated top-down, with the first matching taking effect, or if the entire policy is evaluated for least privilege.
Hi Logan, Thanks for sharing!
We've escalated this feedback to the PM team responsible and we'll be sure to make changes where appropriate.Β
Thanks!
Please sign in to leave a comment.