🚀WorkSpaceAdmin

WorkSpaceAdmin:

The WorkSpaceAdmin role empowers users to create, update, and delete namespaces. Additionally, it grants read and write access to resources within those namespaces, excluding specific resources like Service Accounts, Roles, and RoleBindings. This role is ideal for application administrators who can deploy applications to clusters.

apiVersion: rbac-manager.k8smgmt.io/v1
kind: RBACPolicy
metadata:
  name: tc018-preset-rbac
spec:
  version: 1.0.0
  namespaceCreatePolicy: "IfNotPresent"
  customRbacBindings:
    - name: appadmin
      subjects:
        - kind: ServiceAccount
          namespace: app
          name: robot
      presetBindings:
        - roleName: WorkSpaceAdmin
          namespaceSelector:
            matchLabels:
              key1: value1

The provided YAML snippet represents the specification (spec) for an RBACPolicy for the "WorkSpaceAdmin" preset role. Let's break down the components of this RBACPolicy CRD spec:

• apiVersion and kind: These fields specify the API version and kind of the Custom Resource. In this case, it's an RBACPolicy in the rbac-manager.k8smgmt.io/v1 API version.

• metadata: This section contains metadata about the RBACPolicy resource, including the name.

• version: This field specifies the version of the RBACPolicy. In this case, it's set to 1.0.0.

• namespaceCreatePolicy: This field determines how namespaces should be handled. It can have one of two values:

  • "IfNotPresent": This policy indicates that namespaces should be created if they do not already exist.

  • "Never": This policy indicates that namespaces should never be created, and the RBACPolicy should only work with existing namespaces.

• customRbacBindings: This section defines custom RBAC bindings. It allows you to associate roles with specific subjects (users, service accounts, etc.). In this case:

  • name: A custom RBAC binding with the name appadmin is defined.

  • subjects: This specifies the subjects to which the RBAC binding applies. In this case, it's a ServiceAccount named robot in the app namespace.

  • presetBindings: This field specifies preset bindings. The WorkSpaceAdmin role is assigned to the subjects defined above. It's a role that allows users with this binding to create, update, and delete namespaces and grants read and write access to all resources in those namespaces. However, it includes namespace selectors that grant access to namespaces based on labels and expressions.

  • namespaceSelector: This field defines criteria for selecting namespaces based on labels and expressions. In this case, namespaces with the label key1: value1 are allowed for access.

Note that the automatic RBAC reconciliation ensures that your access control rules are consistently enforced for existing namespaces and those created in the future that meet the selector criteria.

Inspect the ClusterRole and ClusterRoleBinding created by rbac-manager for the above CRD using the commands below.

kubectl get clusterrole -l rbac-manager=k8smgmt
kubectl get clusterrolebinding -l rbac-manager=k8smgmt

Inspect Role and RoleBinding created by rbac-manager in namespaces that match the selector using the commands below.

kubectl get role -A -l rbac-manager=k8smgmt
kubectl get rolebinding -A -l rbac-manager=k8smgmt