Get startedSign in

Add RBAC to the K8s dashboard

Use a simple global service to configure organization wide Kubernetes RBAC for end users

Overview

By default, the Plural Console embedded Kubernetes dashboard ships with closed permissions. You'll need to gradually add RBAC rules to users or groups as you want to carefully expand access throughout the system.

In addition, Plural's built-in Continuous Deployment engine allows you to ship these rules seamlessly to all clusters in your fleet, or to any subset of clusters. We'll show you how to set up a basic cluster-admin role for SRE personnel on your team, but the basics can be reworked for any other set of RBAC rules

Define an RBAC service

We'll make a simple folder of RBAC rules under services/rbac in your repo. To start, let's define a rule for the sre group like so, under services/rbac/sre.yaml:

yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: sre-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: sre

This role references the sre group in the Plural Console, which you can also configure to sync with your upstream identity provider or SSO. For the purposes of the walkthrough, you can also manually create that group by navigating to Settings > User Management > Groups or going to https://{you-console-instance}/settings/user-management/groups

Info:

Plural uses a Kubernetes concept called Impersonation to authenticate into an end cluster's API server with an identity that looks exactly like the current users' Plural Console identity. The primary benefit of this is it allows you to mirror your SSO straight into kubernetes itself, rather than deal with cloud-specific authorization complexity.

If you want to add other rules, say for a specific user, feel free to add them in that folder as well, eg you could add a rule services/rbac/michael.yaml:

yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: sre-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: michael@example.com