Hub RBAC
Important
This guide is only applicable for administrators who’ve deployed self-hosted Spaces. For general RBAC in Upbound, read Upbound RBAC.

This guide explains how to authorize actions on resources in a disconnected Space, on the Kubernetes cluster hosting the Spaces software. With Kubernetes Hub RBAC, you can use traditional Kubernetes RBAC to define roles and permissions.

Enable Kubernetes Hub authorization

To enable Kubernetes Hub Authentication in your Space, you need:

  • A Kubernetes cluster with RBAC enabled
  • authorization.hubRBAC set to true (enabled by default)

Users can authenticate to the single-tenant Space with their Kubernetes credentials using this method.

Configure Kubernetes RBAC

To configure Kubernetes RBAC in your Disconnected Space, you need to create ClusterRoles and Roles for defining access to your resources. For example:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: controlplane-getter
rules:
- apiGroups: ["spaces.upbound.io"]
  resources: ["controlplanes"]
  verbs: ["get", "list", "watch"]

Next, create ClusterRoleBindings and RoleBindings to assign roles to subjects like users, groups, or service accounts:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: controlplane-getters
subjects:
- kind: User
  name: upbound:(user|robot):<username>
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: controlplane-getter
  apiGroup: rbac.authorization.k8s.io

The subject in this example can contain teams (upbound:team:<uuid>) or org roles (upbound:org-role:admin|member) depending on your role needs.

Upbound RBAC integration

You can use the special verbs admin, edit and view for giving a subject access to a control plane:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: controlplane-editor
rules:
- apiGroups: ["spaces.upbound.io"]
  resources: ["controlplanes/k8s"]
  verbs: ["edit"] # or "admin" or "view", depending on access level