Overview

By default, the Plural Console embedded Kubernetes dashboard ships with closed permissions. You'll need to gradually add RBAC rules to users or groups as you want to carefully expand access throughout the system.

In addition, Plural's built-in Continuous Deployment engine allows you to ship these rules seamlessly to all clusters in your fleet, or to any subset of clusters. We'll show you how to set up a basic cluster-admin role for SRE personnel on your team, but the basics can be reworked for any other set of RBAC rules

Define an RBAC service

We'll make a simple folder of RBAC rules under services/rbac in your repo. To start, let's define a rule for the sre group like so, under services/rbac/sre.yaml:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: sre-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: sre

This role references the sre group in the Plural Console, which you can also configure to sync with your upstream identity provider or SSO. For the purposes of the walkthrough, you can also manually create that group by navigating to Settings > User Management > Groups or going to https://{you-console-instance}/settings/user-management/groups

If you want to add other rules, say for a specific user, feel free to add them in that folder as well, eg you could add a rule services/rbac/michael.yaml:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: sre-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: michael@example.com