Before you begin
This procedure requires the following configurations and background:
- A Konvoy cluster with Kommander installed.
- An Identity Provider.
- Familiarity with Kubernetes role-based access control principles.
- A configured group in Kommander for project administrators.
Create role-based access control persona
This procedure describes how a cluster administrator can assign project administrator level access to Kubernetes and Kommander resources in the Kommander UI.
- Project admin: these users can administer projects they have specific access to.
If you have not done so already, create a group to represent this persona. For more details on groups, see the Identity Providers page and the Identity Provider tutorial.
At this point, you have already assigned users to the group that represents the persona. You must now change the resource access level for this persona by associating roles with the groups using policies.
Grant workspace access to project admin persona
The Project Admin persona must have view or greater access to the workspace that contains the project.
In the Kommander UI, do the following:
- Select a Workspace in the header drop-down. This must be the workspace in which the project your group will administrate will live.
- Select Access Control in the side menu.
- Select the Cluster Policies tab.
- Select Add or remove roles and select the Workspace View Role and Kommander Workspace View Role roles.
- Select Save.
Grant project access to project admin persona
The Project Admin persona should have admin access to the project. This allows users to administer all namespaced resources in the project namespace on the management cluster, and all namespaced resources in the project namespace on the target clusters.
In the Kommander UI, do the following:
-
Select a Workspace in the header drop-down.
-
Select Projects and select or create the project to grant access to.
-
Select the Policies tab.
Project Policies Table
The default role for this persona:
- Kommander Project Admin Role: because this is a Kommander Role type role, it applies to the management cluster. This role grants admin access to the project namespace on the management cluster.
-
Assign this role to the Project Admin group.
Project Policies Form