RBAC Configuration

You must configure Kloudfuse to implement RBAC in your deployment.

Copy the following code in your custom-values.yaml file and make necessary edits.

The following sections outline the basic steps and provide examples on how to configure various components of RBAC.

To review general concepts, see Role-Based Access Control (RBAC).

Enable RBAC

The default RBAC policy is a fully-enabled RBAC, with full access.

To enable RBAC, add the following code to the <custom_values.yaml> file:

RBACEnabled: true
yaml

Default User Role

The default user role for new users in Kloudfuse is Editor.

Admins can change this setting in the UI for individual users. See Assign Roles.

To change the default assignment for new users to Viewer, use the following code to the <custom_values.yaml> file:

rbacDefaultUserRole: Viewer
yaml

Default Policy

Users who do not have a Policy assigned through the UI get a default level of access, depending on configuration:

default_rbac_policy: rbac_allow_all
yaml

To change the default policy for the various roles, use the following code to the <custom_values.yaml> file:

default_rbac_policy: rbac_allow_none
yaml

See Change a Policy to set the policy in the UI.

Group and Role synchronization

When users log in through SSO, Kloudfuse synchronizes group membership and roles. You can automate this process.

Availability

OKTA: SAML or oauth 2.0 Google: SAML only. Google OIDC does not support groups information; you must perform these configurations manually.

Synchronize Groups

  1. Update your custom-values.yaml configuration file to enable group synchronization:

    user-mgmt-service:
  config:
    EnableOAuthGroupSync: true
    RemoveFromNonOAuthGroups: true (1)
    yaml
    1 RemoveFromNonOAuthGroups: This is an optional parameter. When set to true, user removed from any groups in the IdP are also be removed from the corresponding groups in Kloudfuse when they log in. Without this flag, or when it is set to false, users who are removed from groups in the IdP will not be removed from these groups in Kloudfuse.

  2. Set the scope variable using one of these methods:

    If using existingConfigMap under the kfuse-auth section

    1. Update the corresponding Kubernetes configmap to add the scope line:

      scope = "openid email groups profile"
      yaml

    2. Run the helm upgrade to apply the changes.

    Otherwise

    1. Add the scope line under the extraArgs section of oauth2-proxy in kfuse-auth in your custom-values.yaml file:

      kfuse-auth:
  oauth2-proxy:
    extraArgs:
      scope: "openid email groups profile"
      yaml

    2. Run helm upgrade to apply the changes.

Synchronize Roles

To synchronize roles, create three special groups in your Identity Provider (IdP):

  • role:Admin

  • role:Editor

  • role:Viewer

You can use a custom group name prefix; see Configure Role Group Prefix.

After a user is added to one of these groups in the IdP, Kloudfuse updates the user’s role correspondingly on the user’s next login.

  • If a user is in the role:Admin group, their role in Kloudfuse is set to Admin.

  • If a user is in the role:Editor group, their role in Kloudfuse is set to Editor.

  • If a user is in the role:Viewer group, their role in Kloudfuse is set to Viewer.

Configure Role Group Prefix

You can configure the default "role:" prefix from the Synchronize Roles section to use another prefix. Use the OAuthRolePrefix setting in the custom-values.yaml file to prefix roles with any keyword.

user-mgmt-service:
  config:
    OAuthRolePrefix: "<prefix_keyword>:" (1)
yaml
1 prefix_keyword: any word picked by the user

For example, the following code generates a group name, such as kfuse_role=Viewer.

user-mgmt-service:
  config:
    OAuthRolePrefix: "kfuse_role="
code