Fine grained access control examples

APPUiO Cloud allows fine-grained control over which projects a user may access through standard RBAC roles.

This is useful for organizations that have multiple projects and want to restrict some users access to only certain projects.

You can either create Teams, which show up as an OpenShift group organization+team or assign users directly.

The examples below assume the following structure:

mycompany (organization)
β”œβ”€β”€ mycompany-user1 (user)
β”œβ”€β”€ developers (team)
└── operations (team)

Prerequisites for all examples

For this guide, it’s assumed that:

  • You are logged in to APPUiO Cloud using the oc login command.

User may access only certain projects in the organization

OpenShift has no notion of group hierarchy, so you need to add the user to all groups that should have access to the project.

There are two relevant RoleBindings in each Namespace: * admin - allows the user to manage most resources in the Namespace * namespace-owner - allows the user to manage (including delete) the Namespace itself

  1. Remove the user from the mycompany organization

  2. Add the user to the developers team

    The hierarchy should now look like this:

    mycompany (organization)
    β”œβ”€β”€ developers (team)
    β”‚   └── mycompany-user1 (user)
    └── operations (team)
  3. Allow only organization mycompany and team mycompany+developers access to your project

    ORGANIZATION=mycompany
    TEAM=developers
    PROJECT=mycompany-web-portal
    
    oc -n "${PROJECT}" patch rolebinding admin -oyaml --patch """
    subjects:
      - apiGroup: rbac.authorization.k8s.io
        kind: Group
        name: ${ORGANIZATION}
      - apiGroup: rbac.authorization.k8s.io
        kind: Group
        name: ${ORGANIZATION}+${TEAM}
    """
    1. The user can be referenced directly as well.

      ORGANIZATION=mycompany
      USER=mycompany-user1
      PROJECT=mycompany-web-portal
      
      oc -n "${PROJECT}" patch rolebinding admin -oyaml --patch """
      subjects:
        - apiGroup: rbac.authorization.k8s.io
          kind: Group
          name: ${ORGANIZATION}
        - apiGroup: rbac.authorization.k8s.io
          kind: User
          name: ${USER}
      """

User may not create new projects in their organization

  1. Remove the user from the organization group

  2. Add the user to a team that has access to the required projects

    The hierarchy should now look like this:

    mycompany (organization)
    β”œβ”€β”€ developers (team)
    β”‚   └── mycompany-user1 (user)
    └── operations (team)
        └── mycompany-user1 (user)
  3. Allow access to the required projects