Skip to content

Latest commit

 

History

History
83 lines (75 loc) · 3.02 KB

crd-creating-aggregated-cluster-roles.adoc

File metadata and controls

83 lines (75 loc) · 3.02 KB

Creating cluster roles for Custom Resource Definitions

Cluster administrators can grant permissions to existing cluster-scoped Custom Resource Definitions (CRDs). If you use the admin, edit, and view default cluster roles, take advantage of cluster role aggregation for their rules.

Important

You must explicitly assign permissions to each of these roles. The roles with more permissions do not inherit rules from roles with fewer permissions. If you assign a rule to a role, you must also assign that verb to roles that have more permissions. For example, if you grant the get crontabs permission to the view role, you must also grant it to the edit and admin roles. The admin or edit role is usually assigned to the user that created a project through the project template.
Procedure

  1. Create a cluster role definition file for the CRD. The cluster role definition is a YAML file that contains the rules that apply to each cluster role. The {product-title} controller adds the rules that you specify to the default cluster roles.

    Example YAML file for a cluster role definition
    kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1 (1)
metadata:
  name: aggregate-cron-tabs-admin-edit (2)
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true" (3)
    rbac.authorization.k8s.io/aggregate-to-edit: "true" (4)
rules:
- apiGroups: ["stable.example.com"] (5)
  resources: ["crontabs"] (6)
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"] (7)
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: aggregate-cron-tabs-view (2)
  labels:
    # Add these permissions to the "view" default role.
    rbac.authorization.k8s.io/aggregate-to-view: "true" (8)
    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" (9)
rules:
- apiGroups: ["stable.example.com"] (5)
  resources: ["crontabs"] (6)
  verbs: ["get", "list", "watch"] (7)

    1. Use the rbac.authorization.k8s.io/v1 API.

    2. Specify a name for the definition.

    3. Specify this label to grant permissions to the admin default role.

    4. Specify this label to grant permissions to the edit default role.

    5. Specify the group name of the CRD.

    6. Specify the plural name of the CRD that these rules apply to.

    7. Specify the verbs that represent the permissions that are granted to the role. For example, apply read and write permissions to the admin and edit roles and only read permission to the view role.

    8. Specify this label to grant permissions to the view default role.

    9. Specify this label to grant permissions to the cluster-reader default role.

  2. Create the cluster role:

    $ oc create -f <file_name>.yaml