RBAC & Workspaces Updates

Overview

Komodor is introducing significant enhancements to Role-Based Access Control (RBAC) and Workspaces to help platform teams operate more securely, scale access with confidence, and gain greater visibility across complex Kubernetes environments.

RBAC – Role-Based Access Control

New Features & Capabilities:

• Granular policy definitions using clusters, namespaces, and labels/annotations.
• Wildcards and exclusions are supported in naming patterns.
• Label/Annotation-Based RBAC for Cluster-Wide Resources (e.g., Nodes, PVs, CRDs).
• Full API & Terraform support for policy management.
• Enhanced Web UX for simplified access configuration.

New Outcomes:

• Manage access dynamically at scale with automation tooling.
• Align RBAC with organisational structure and multi-tenant models.

Important Changes & Deprecations:

• Cluster tag-based policies will be deprecated and replaced with naming patterns.
• New 'view' permissions were introduced for add-ons and cost optimisation screens.

Workspaces

New Features & Capabilities:

• Workspace creation using clusters, namespaces, and labels/annotations.
• Advanced naming patterns with wildcards and exclusions.
• API & Terraform support for automation.
  • Workspaces V2 API docs
  • Workspaces V2 Terraform docs
• Workspace navigation selector will include only workspaces that contain resources the user has permission to access
• Dedicated Workspace Management Screen.

New Outcomes:

• Streamlined navigation and workspace visibility.
• Secure, permission-aligned access to relevant resources only.
• Better alignment with how organisations structure their environments within Komodor.

Important Changes & Deprecations:

• Static scope workspace type will be removed.
• Workspaces with a scope type of labels/annotations will only include defined resources (via labels/annotations defined in Tracked Keys)
• Tracked Keys are label or annotation keys monitored by Komodor, enabling you to define RBAC and Workspaces based on specific labels or annotations. Each account can configure up to 10 Tracked Keys, with no limit on the number of values or combinations.
• Workspace selector dropdown will filter by user permissions.
• Cost page is limited to applicable workspace scopes (clusters and namespaces)

Rollout & Migration

We’re working closely with each customer to ensure a seamless and timely transition to RBAC V2 and the new Workspaces model, aligned with your team’s operations.

The rollout will be handled collaboratively to match your internal timelines and operational requirements.

RBAC Migration:

• Automatic Migration: All existing RBAC policies can be auto-migrated, except those based on tags.
   
• Manual Migration Required:
   
  • Policies using tag-based rules must be manually recreated using the new naming pattern-based approach.
  • Customers using API or Terraform for managing RBAC policies must migrate manually to the new RBAC V2 API/Terraform interfaces.
  • Documentation is available here
    • RBAC Policy V2 API docs
    • RBAC Policy V2 Terraform Examples

Workspaces Migration:

• Cluster groups, namespace-based, and single-label Workspaces can be automatically migrated.
• Workspaces with the deprecated Static Scope type will need to be recreated using the new label/annotation-based scoping model.

• To support a seamless transition, V1 and V2 workspace views will be available side-by-side during the migration period.

   

  Link to full docs