This guide explains how to authorize actions on resources in a disconnected Space, on the Kubernetes cluster hosting the Spaces software. With Kubernetes Hub RBAC, you can use traditional Kubernetes RBAC to define roles and permissions.
Enable Kubernetes Hub authorization
To enable Kubernetes Hub Authentication in your Space, you need:
- A Kubernetes cluster with RBAC enabled
authorization.hubRBAC
set totrue
(enabled by default)
Users can authenticate to the single-tenant Space with their Kubernetes credentials using this method.
Configure Kubernetes RBAC
To configure Kubernetes RBAC in your Disconnected Space, you need to create ClusterRoles
and Roles
for defining access to your resources. For example:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: controlplane-getter
rules:
- apiGroups: ["spaces.upbound.io"]
resources: ["controlplanes"]
verbs: ["get", "list", "watch"]
Next, create ClusterRoleBindings
and RoleBindings
to assign roles to subjects like users, groups, or service accounts:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: controlplane-getters
subjects:
- kind: User
name: upbound:(user|robot):<username>
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: controlplane-getter
apiGroup: rbac.authorization.k8s.io
The subject
in this example can contain teams (upbound:team:<uuid>
) or org roles (upbound:org-role:admin|member
) depending on your role needs.
Upbound RBAC integration
You can use the special verbs admin
, edit
and view
for giving a subject access to a control plane:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: controlplane-editor
rules:
- apiGroups: ["spaces.upbound.io"]
resources: ["controlplanes/k8s"]
verbs: ["edit"] # or "admin" or "view", depending on access level