Gloo Mesh provides tools to secure network traffic to your service mesh. To control user access to your Gloo resources, use Gloo workspaces together with Kubernetes role-based access control (RBAC).

Kubernetes access control determines how users can access and configure Gloo Mesh, Istio, and Kubernetes resources.

Native Kubnernetes RBAC

To manage how users can access and configure those resources, use native Kubernetes role-based access control (RBAC). You can add the custom Gloo resources to your existing Kubernetes roles or cluster roles. Then, users with those roles get the permission that you grant. For an example, see Example RBAC configuration.

Wondering how Kubernetes RBAC rules might impact a multicluster scenario with your Gloo resources? Consider the following diagrams.

Example RBAC configuration

Use Kubernetes RBAC to control user access to Gloo resources. One approach might be to modify the default Kubernetes roles for Gloo resources, such as in the following example.

Example RBAC roles by persona

PersonaRolesRationale
Pam, Platform AdminThe cluster-admin cluster role for all clusters in your setup.To install Gloo Mesh Enterprise and Istio in each cluster. Also, to add users to the clusters.
Arjay, App OwnerThe cluster-admin cluster role for the cluster or admin or edit role for the namespace that has the workspace settings resource.To update the workspace settings to control importing and exporting. Also, to help manage any Gloo resources that the team wants to export or import.
Oliver, OperatorThe admin or edit role for each namespace he is responsible for operating.To create Gloo resources such as policies for the namespace. Consider giving the view role to the namespace with the workspace settings, so that the operator can review what resources are imported from other workspaces, if any.
Alice, App DeveloperThe edit role for each namespace where she needs to deploy her app.To create Kubernetes resources such as a Deployment and Service, or Gloo resources such as a Route Table. Consider giving the view role to the namespace with the workspace settings, so that the developer can review what resources are imported from other workspaces, if any.