This guide provides an overview of Kubernetes role-based access control (RBAC) in Upbound. RBAC allows you to regulate access to your Upbound resources and control planes based on the roles of individual users within your organization.
Enable Kubernetes Hub authorization
To enable Kubernetes Hub Authentication in your Space, you need:
- A Kubernetes cluster with RBAC enabled
authorization.hubRBACset totrue(enabled by default)
Users can authenticate to the single-tenant Space with their Kubernetes credentials using this method.
Configure Kubernetes RBAC
To configure Kubernetes RBAC in your Disconnected Space, you need to create ClusterRoles and Roles for defining access to your resources. For example:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: controlplane-getter
rules:
- apiGroups: ["spaces.upbound.io"]
resources: ["controlplanes"]
verbs: ["get", "list", "watch"]
Next, create ClusterRoleBindings and RoleBindings to assign roles to subjects like users, groups, or service accounts:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: controlplane-getters
subjects:
- kind: User
name: upbound:(user|robot):<username>
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: controlplane-getter
apiGroup: rbac.authorization.k8s.io
The subject in this example can contain teams (upbound:team:<uuid>) or org roles (upbound:org-role:admin|member) depending on your role needs.
Upbound RBAC integration
You can use the special verbs admin, edit and view for giving a subject access to a control plane:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: controlplane-editor
rules:
- apiGroups: ["spaces.upbound.io"]
resources: ["controlplanes/k8s"]
verbs: ["edit"] # or "admin" or "view", depending on access level
