Fine grained access control examples

APPUiO Cloud allows fine-grained control over which projects a user may access through standard RBAC roles.

This is useful for organizations that have multiple projects and want to restrict some users access to only certain projects.

You can either create Teams, which show up as an OpenShift group organization+team or assign users directly.

The examples below assume the following structure:

mycompany (organization)
β”œβ”€β”€ mycompany-user1 (user)
β”œβ”€β”€ developers (team)
└── operations (team)

Prerequisites for all examples

For this guide, it’s assumed that:

  • You are logged in to APPUiO Cloud using the oc login command.

User may access only certain projects in the organization

OpenShift has no notion of group hierarchy, so you need to add the user to all groups that should have access to the project.

There are two relevant RoleBindings in each Namespace: * admin - allows the user to manage most resources in the Namespace * namespace-owner - allows the user to manage (including delete) the Namespace itself

  1. Remove the user from the mycompany organization

  2. Add the user to the developers team

    The hierarchy should now look like this:

    mycompany (organization)
β”œβ”€β”€ developers (team)
β”‚   └── mycompany-user1 (user)
└── operations (team)

  3. Allow only organization mycompany and team mycompany+developers access to your project

    ORGANIZATION=mycompany
TEAM=developers
PROJECT=mycompany-web-portal

oc -n "${PROJECT}" patch rolebinding admin -oyaml --patch """
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: ${ORGANIZATION}
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: ${ORGANIZATION}+${TEAM}
"""

    1. The user can be referenced directly as well.

      ORGANIZATION=mycompany
USER=mycompany-user1
PROJECT=mycompany-web-portal

oc -n "${PROJECT}" patch rolebinding admin -oyaml --patch """
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: ${ORGANIZATION}
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: ${USER}
"""

User may not create new projects in their organization

  1. Remove the user from the organization group

  2. Add the user to a team that has access to the required projects

    The hierarchy should now look like this:

    mycompany (organization)
β”œβ”€β”€ developers (team)
β”‚   └── mycompany-user1 (user)
└── operations (team)
    └── mycompany-user1 (user)

  3. Allow access to the required projects

    See User may access only certain projects in the organization for an example.