Organizations and RBAC

Each OpenShift Project (Kubernetes Namespace) belongs to an organization, indicated by the label appuio.io/organization on the Namespace and Project objects.

The organization is also reflected as a Group object in the APPUiO Zone and is used to assign default RBAC rules.

Default RBAC rules

On Namespace creation, a number of RBAC rules are created.

  • A RoleBinding called admin which grants the creator of the Namespace the ClusterRole called admin. This roles allows the creator to create, get, or modify nearly every resource in the Namespace.

  • A RoleBinding called organization-admin which also grants the organization the admin role.

  • A RoleBinding called namespace-owner which gives the organization the permission to edit the created Namespace by granting the organization the ClusterRole namespace-owner.

  • Two RoleBinding resources called monitoring-edit and monitoring-edit-probe which give the organization the permission to manage user workload monitoring related resources.

  • A RoleBinding called alert-routing-edit which gives the organization the permission to configure alert routing rules in the user workload monitoring stack.

The user is free to modify or delete any of the RoleBindings and handle access control themselves.

Be sure to not lock yourself out! Nothing will stop you from removing access to created projects.

Organization Membership

APPUiO Cloud provides self-management of organizations and organization membership through the APPUiO Cloud Webportal.

Transfer Projects

There is the option to move a project from one organization to another. This can be done by setting the label appuio.io/organization on the Namespace of the project to the name of the target organization. This needs to be done by someone in the target organization with the permission to edit the Namespace, usually by someone that’s part of both organizations.

As an example:

Let foo be a namespace that belongs to the organization purple-fox. If a user is part of the organization purple-fox and carbon-fund, they can transfer the namespace foo to organization carbon-fund, by setting the label appuio.io/organization on the namespace foo to carbon-fund.

This will transfer the project to the new organization and affect, among other things, billing. It will however not update any RBAC rules. You will need to manually change these.

The transferring user doesn’t necessarily need to be in the source organization, they simply need to have permission to edit the namespace and need to be in the target organization. This means namespaces can be transferred between organizations that don’t share any users.