Enable and configure access control
For more information about Upbound’s Space offerings, review What is Upbound.

This guide introduces role-based access control (RBAC) in Upbound. RBAC allows you to control access to your Upbound resources and control planes based on the roles of individual users within your organization.

Depending on your operational model, you can use Upbound RBAC (with Connected or Cloud Spaces) or Kubernetes Hub Authorization (Single-Tenant Connected or Disconnected Spaces) to manage your users access within Upbound or the underlying resources.

Identity types

Upbound supports the following identity types:

  • Users - Accounts representing a single user.
  • Organizations - A top-level collection of users and teams.
  • Teams - A sub-group within an organization.
  • Robots - Non-user accounts designed for automation.

Upbound constructs unique identities with upbound:(user|robot|team):<name>.


Upbound issues JSON Web Tokens (JWT) with identity information to authenticate to your platform APIs.

The token includes:

  • a subject (upbound:user/team:<name>)
  • the users team memberships(upbound:team:<UUID>)
  • the organization context(upbound:org-role:(admin|member))


Upbound uses identities to check for authentication across the platform. In the Cloud environment, Upbound grants identities organization roles to control access to features and resources with IAM policies.

In Connected Spaces, you can bind identities to Kubernetes RBAC or Upbound RBAC to control access to resources.

The subject and group claims in the JWT token determine the user’s effective permissions for an API request.

Enable Kubernetes hub authorization

To enable Kubernetes Hub Authentication in your Space, you need:

  • a Kubernetes cluster with RBAC enabled
  • to attach your cluster to Upbound

Users can authenticate to the single-tenant Connected Space with their Kubernetes credentials with this method.

Configure Kubernetes RBAC

To configure Kubernetes RBAC in your Disconnected Space, you need to create ClusterRoles and Roles for defining access to your resources.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
  name: upbound-user
- apiGroups: ["spaces.upbound.io"]
  resources: ["controlplanes"]
  verbs: ["get", "list", "watch"]

Next, create ClusterRoleBindings and RoleBindings to assign roles to subjects like users, groups, or service accounts.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
  name: controlplane-getters
- kind: Group
  name: upbound:(user|robot):<username>
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: controlplane-getter
  apiGroup: rbac.authorization.k8s.io

The subject in this example can contain teams (upbound:team:<uuid>) or org roles (upbound:org-role:admin|member) depending on your role need.

This example creates an controlplane-getter with read permissions on controlplanes and binds the users to the upbound:users group.