Skip to content

Minimal rbac to view and reconcile resources in UI #3702

New issue
New issue
Open
#4666
Open
Minimal rbac to view and reconcile resources in UI#3702
#4666
Labels
area/uiIssues that require front-end workpriority_mediumItems we want to complete in the next 60 daystype/enhancementNew feature or requesttype/spike
@adberger

Description

@adberger
adberger
opened on May 15, 2023

Hi there

We are currently trying to limit the flux resources which a specific user/group can see & use (e.g. sync).
We tried to apply the following role, but the user doesn't see any resources matching the names specified.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: example
  namespace: tenant-1
- apiGroups:
  - kustomize.toolkit.fluxcd.io
  resourceNames:
  - example-kustomization
  resources:
  - kustomizations
  verbs:
  - get
  - list
  - watch
  - patch
- apiGroups:
  - source.toolkit.fluxcd.io
  resourceNames:
  - example-gitrepository
  resources:
  - gitrepositories
  verbs:
  - get
  - list
  - watch
  - patch

The following requests over kubectl work:

kubectl get kustomizations.kustomize.toolkit.fluxcd.io -n tenant-1 example-kustomization
kubectl get gitrepositories.source.toolkit.fluxcd.io -n tenant-1 example-gitrepository

Additionally setting

  # Read access for all other Kubernetes objects
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: [ "get", "list", "watch" ]

according to the docs, the user can see "too much".

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/uiIssues that require front-end workpriority_mediumItems we want to complete in the next 60 daystype/enhancementNew feature or requesttype/spike

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions