This guide provides an overview of role-based access control (RBAC) in Upbound. RBAC lets you control access to your Upbound resources and control planes based on the roles of individual users in your organization.
Enable Upbound RBAC
For administrators who have deployed self-hosted Spaces, you can enable Upbound RBAC at install or upgrade time. Configure the feature in the Spaces helm chart:
--set "features.alpha.upboundRBAC.enabled=true"
Upbound RBAC is enabled by default in Upbound Cloud Spaces.
Authorize access to control plane group resources
Roles
Upbound RBAC roles define sets of permissions with three built-in roles at the group level:
- Admin
- Editor
- Viewer
These roles apply at three levels:
- Organization
- Control Plane Groups
- Control Planes
Upbound RBAC roles have either read-only
or read/write
access for features. Review the table for permissions for each role:
View group role permissions
- On the Control Planes screen in the Console, select which Space and group context you wish to be in.
- Select the Settings pane of the control plane group.
- In the Team access card of the settings page, view the teams and their permissions for this group.
Use the up CLI to set your kubecontext to the desired Space, then run the following:
kubectl get objectrolebindings
NAME AGE
default-zcntk 14s
Each role permission granted to a team gets represented with an objectrolebinding
Space API resource.
Assign group role permissions
- On the Control Planes screen in the Console, select which Space and group context you wish to be in.
- Select the Settings pane of the control plane group view.
- Select Add Teams
- Select which role you wish to grant.
- Select which teams you wish to apply the role to, then select the Add Selected to Group button.
Use the up CLI to set your kubecontext to the desired Space, then create an objectrolebinding
. The example below gives control plane group editor access to the UpboundTeam
with the UUID of 918a6338-abbe-420d-81cf-9e87642a87c6
:
apiVersion: authorization.spaces.upbound.io/v1alpha1
kind: ObjectRoleBinding
metadata:
name: my-binding
namespace: ctp-group-1
spec:
object:
apiGroup: core
resource: namespaces
name: ctp-group-1
subjects:
- kind: UpboundTeam
name: 918a6338-abbe-420d-81cf-9e87642a87c6
role: editor
Delete group role permissions
- On the Control Planes screen in the Console, select which Space and group context you wish to be in.
- Select the Settings pane of the control plane group view.
- Select the settings button on the right side the team you wish to delete.
- Select Remove
Use the up CLI to set your kubecontext to the desired Space, then delete the desired objectrolebinding
. The example below deletes the permission created in the previous section:
kubectl delete objectrolebinding default-zcntk
objectrolebinding.authorization.spaces.upbound.io "default-zcntk" deleted