Control user access to your resources
Use Kubernetes RBAC to control user access to Gloo resources in your clusters.
Before you begin
- Add the Gloo custom resources to all of your Kubernetes clusters. You add the CRs by installing Gloo Mesh and registering each workload cluster.
- Target the Kubernetes cluster that you want to modify RBAC rules for.
kubectl config use-context $CONTEXT
- Optional: Make sure that the user or group that you want to grant access to has the proper permissions from your cloud provider. For more information, check your cloud provider identity and access management (IAM) documentation.
- Optional: Review how Kubernetes RBAC works.
Gloo API groups and resources for roles
Refer to the following examples for the Gloo API groups and resources that you can add to rules in Kubernetes RBAC roles or cluster roles. The examples are organized by the verbs that are allowed in the default Kubernetes Admin, Edit, and View roles.
To list the Gloo resources, their related API groups, and possible verbs, run the following command.
kubectl api-resources -o wide | grep gloo
rules:
- apiGroups:
- admin.gloo.solo.io
resources:
- dashboards
- extauthservers
- gatewaylifecyclemanagers
- istiolifecyclemanagers
- kubernetesclusters
- ratelimitserverconfigs
- ratelimitserversettings
- roottrustpolicies
- workspaces
- workspacesettings
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- apimanagement.gloo.solo.io
resources:
- apidocs
- apischemadiscoveries
- graphqlresolvermaps
- graphqlschemas
- graphqlstitchedschemas
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- extensions.policy.gloo.solo.io
resources:
- wasmdeploymentpolicies
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.gloo.solo.io
resources:
- externalendpoints
- externalservices
- routetables
- virtualdestinations
- virtualgateways
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- observability.policy.gloo.solo.io
resources:
- accesslogpolicies
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- resilience.policy.gloo.solo.io
resources:
- connectionpolicies
- failoverpolicies
- faultinjectionpolicies
- outlierdetectionpolicies
- retrytimeoutpolicies
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- security.policy.gloo.solo.io
resources:
- accesspolicies
- corspolicies
- csrfpolicies
- extauthpolicies
- jwtpolicies
- wafpolicies
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- trafficcontrol.policy.gloo.solo.io
resources:
- headermanipulationpolicies
- mirrorpolicies
- proxyprotocolpolicies
- ratelimitclientconfigs
- ratelimitpolicies
- transformationpolicies
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
rules:
- apiGroups:
- admin.gloo.solo.io
resources:
- dashboards
- extauthservers
- gatewaylifecyclemanagers
- istiolifecyclemanagers
- kubernetesclusters
- ratelimitserverconfigs
- ratelimitserversettings
- roottrustpolicies
- workspaces
- workspacesettings
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- apimanagement.gloo.solo.io
resources:
- apidocs
- apischemadiscoveries
- graphqlresolvermaps
- graphqlschemas
- graphqlstitchedschemas
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- extensions.policy.gloo.solo.io
resources:
- wasmdeploymentpolicies
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.gloo.solo.io
resources:
- externalendpoints
- externalservices
- routetables
- virtualdestinations
- virtualgateways
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- observability.policy.gloo.solo.io
resources:
- accesslogpolicies
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- resilience.policy.gloo.solo.io
resources:
- connectionpolicies
- failoverpolicies
- faultinjectionpolicies
- outlierdetectionpolicies
- retrytimeoutpolicies
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- security.policy.gloo.solo.io
resources:
- accesspolicies
- corspolicies
- csrfpolicies
- extauthpolicies
- jwtpolicies
- wafpolicies
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- trafficcontrol.policy.gloo.solo.io
resources:
- headermanipulationpolicies
- mirrorpolicies
- proxyprotocolpolicies
- ratelimitclientconfigs
- ratelimitpolicies
- transformationpolicies
verbs:
- get
- list
- patch
- update
- watch
rules:
- apiGroups:
- admin.gloo.solo.io
resources:
- dashboards
- extauthservers
- gatewaylifecyclemanagers
- istiolifecyclemanagers
- kubernetesclusters
- ratelimitserverconfigs
- ratelimitserversettings
- roottrustpolicies
- workspaces
- workspacesettings
verbs:
- get
- list
- watch
- apiGroups:
- apimanagement.gloo.solo.io
resources:
- apidocs
- apischemadiscoveries
- graphqlresolvermaps
- graphqlschemas
- graphqlstitchedschemas
verbs:
- get
- list
- watch
- apiGroups:
- extensions.policy.gloo.solo.io
resources:
- wasmdeploymentpolicies
verbs:
- get
- list
- watch
- apiGroups:
- networking.gloo.solo.io
resources:
- externalendpoints
- externalservices
- routetables
- virtualdestinations
- virtualgateways
verbs:
- get
- list
- watch
- apiGroups:
- observability.policy.gloo.solo.io
resources:
- accesslogpolicies
verbs:
- get
- list
- watch
- apiGroups:
- resilience.policy.gloo.solo.io
resources:
- connectionpolicies
- failoverpolicies
- faultinjectionpolicies
- outlierdetectionpolicies
- retrytimeoutpolicies
verbs:
- get
- list
- watch
- apiGroups:
- security.policy.gloo.solo.io
resources:
- accesspolicies
- corspolicies
- csrfpolicies
- extauthpolicies
- jwtpolicies
- wafpolicies
verbs:
- get
- list
- watch
- apiGroups:
- trafficcontrol.policy.gloo.solo.io
resources:
- headermanipulationpolicies
- mirrorpolicies
- proxyprotocolpolicies
- ratelimitclientconfigs
- ratelimitpolicies
- transformationpolicies
verbs:
- get
- list
- watch
Set up Kubernetes RBAC for Gloo resources
-
List the Gloo resources, their related API groups, and possible verbs.
kubectl api-resources -o wide | grep gloo
Example output:
... NAME SHORTNAMES APIVERSION NAMESPACED KIND VERBS workspaces admin.gloo.solo.io/v2 true Workspace [delete deletecollection get list patch create update watch] workspacesettings admin.gloo.solo.io/v2 true WorkspaceSettings [delete deletecollection get list patch create update watch] routetables networking.gloo.solo.io/v2 true RouteTable [delete deletecollection get list patch create update watch] virtualdestinations networking.gloo.solo.io/v2 true VirtualDestination [delete deletecollection get list patch create update watch] virtualgateways networking.gloo.solo.io/v2 true VirtualGateway [delete deletecollection get list patch create update watch] ...
-
Optional: Get the details of an existing role or cluster role to modify, such as the default Kubernetes cluster roles
admin
,edit
, andview
.- Get the name of the existing role that you want to modify.
kubectl get roles -A
- Get the configuration of the role that you want to modify and save it as a local YAML file.
kubectl get role $ROLE -o yaml > $ROLE.yaml
- Get the name of the existing cluster role that you want to modify.
kubectl get clusterroles -A
- Get the configuration of the cluster role that you want to modify and save it as a local YAML file.
kubectl get clusterrole $CLUSTER_ROLE -o yaml > $CLUSTER_ROLE.yaml
- Get the name of the existing role that you want to modify.
-
Create or open the existing configuration file. In the
rules
section, add a stanza for the Gloo resources that you want to control permissions for. Use the API group, resource name, and verbs that you previously retrieved. For a full list, see Gloo API groups and resources. The following example creates a view-only role for Gloo policies and networking resources, but not for admin resources.kubectl apply -f - <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: gloo-mesh name: gloo-view rules: - apiGroups: - extensions.policy.gloo.solo.io resources: - wasmdeploymentpolicies verbs: - get - list - watch - apiGroups: - networking.gloo.solo.io resources: - externalendpoints - externalservices - routetables - virtualdestinations - virtualgateways verbs: - get - list - watch - apiGroups: - observability.policy.gloo.solo.io resources: - accesslogpolicies verbs: - get - list - watch - apiGroups: - resilience.policy.gloo.solo.io resources: - connectionpolicies - failoverpolicies - faultinjectionpolicies - outlierdetectionpolicies - retrytimeoutpolicies verbs: - get - list - watch - apiGroups: - security.policy.gloo.solo.io resources: - accesspolicies - corspolicies - csrfpolicies - extauthpolicies - jwtpolicies - wafpolicies verbs: - get - list - watch - apiGroups: - trafficcontrol.policy.gloo.solo.io resources: - headermanipulationpolicies - mirrorpolicies - proxyprotocolpolicies - ratelimitclientconfigs - ratelimitpolicies - transformationpolicies verbs: - get - list - watch EOF
-
Create a service account in the same namespace as your role to test permissions.
kubectl create serviceaccount gloo-rbac-service-account -n gloo-mesh
-
Create or a role binding or cluster role binding that maps the user or service account as a subject for the role or cluster role that you updated. The following example creates a role binding for the service account that you created in the previous step. For more information, see the Kubernetes docs.
kubectl apply -f - <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: gloo-view-role-binding namespace: gloo-mesh subjects: - namespace: gloo-mesh kind: ServiceAccount name: gloo-rbac-service-account roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: gloo-view EOF
-
Check the permissions that the service account has.
kubectl auth can-i get failoverpolicies --as=system:serviceaccount:gloo-mesh:gloo-rbac-service-account -n gloo-mesh kubectl auth can-i get workspaces --as=system:serviceaccount:gloo-mesh:gloo-rbac-service-account -n gloo-mesh kubectl auth can-i get failoverpolicies --as=system:serviceaccount:gloo-mesh:gloo-rbac-service-account
Example output:
yes
: The service account can get failover policies in thegloo-mesh
namespace, as expected.no
: The service account cannot get workspaces in thegloo-mesh
namespace, because the role only gives viewer permissions for Gloo policies, not admin resources.no
: The service account cannot get failover policies in thedefault
namespace, because the role and role binding are scoped to thegloo-mesh
namespace.
kubectl auth can-i --list --as=system:serviceaccount:gloo-mesh:gloo-rbac-service-account -n gloo-mesh
Example output:
Resources Non-Resource URLs Resource Names Verbs wasmdeploymentpolicies.extensions.policy.gloo.solo.io [] [] [get list watch] externalendpoints.networking.gloo.solo.io [] [] [get list watch] externalservices.networking.gloo.solo.io [] [] [get list watch] routetables.networking.gloo.solo.io [] [] [get list watch] virtualdestinations.networking.gloo.solo.io [] [] [get list watch] virtualgateways.networking.gloo.solo.io [] [] [get list watch] accesslogpolicies.observability.policy.gloo.solo.io [] [] [get list watch] connectionpolicies.resilience.policy.gloo.solo.io [] [] [get list watch] failoverpolicies.resilience.policy.gloo.solo.io [] [] [get list watch] faultinjectionpolicies.resilience.policy.gloo.solo.io [] [] [get list watch] outlierdetectionpolicies.resilience.policy.gloo.solo.io [] [] [get list watch] retrytimeoutpolicies.resilience.policy.gloo.solo.io [] [] [get list watch] accesspolicies.security.policy.gloo.solo.io [] [] [get list watch] corspolicies.security.policy.gloo.solo.io [] [] [get list watch] csrfpolicies.security.policy.gloo.solo.io [] [] [get list watch] extauthpolicies.security.policy.gloo.solo.io [] [] [get list watch] jwtpolicies.security.policy.gloo.solo.io [] [] [get list watch] wafpolicies.security.policy.gloo.solo.io [] [] [get list watch] headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch] mirrorpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch] proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch] ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io [] [] [get list watch] ratelimitpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch] transformationpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch]
-
Verify that the service account can get the resources.
-
Get and decode the token from the secret for the service account.
kubectl get secrets -n gloo-mesh $(kubectl get serviceaccount gloo-rbac-service-account -n gloo-mesh -o=jsonpath='{.secrets[0].name}') -o=jsonpath='{.data.token}' | base64 -D
-
Save the token output of the previous step as an environment variable.
export SA_TOKEN=<ey...>
-
Get the cluster endpoint for API access.
kubectl get endpoints | grep kubernetes
Example output:
kubernetes 34.xx.xxx.xxx:443 1d
-
Save the cluster endpoint without the port as an environment variable.
export CLUSTER_ENDPOINT=<34.xx.xxx.xxx>
-
Send some curl requests to the cluster endpoint with the service account token. Note that some succeed and some fail based on the permissions of the service account.
curl -k https://$CLUSTER_ENDPOINT/apis/resilience.policy.gloo.solo.io/v2/failoverpolicies -H "Authorization: Bearer $SA_TOKEN" curl -k https://$CLUSTER_ENDPOINT/apis/resilience.policy.gloo.solo.io/v2/namespaces/gloo-mesh/failoverpolicies -H "Authorization: Bearer $SA_TOKEN" curl -k https://$CLUSTER_ENDPOINT/apis/admin.gloo.solo.io/v2/namespaces/gloo-mesh/workspaces -H "Authorization: Bearer $SA_TOKEN"
Example output:
- The first request fails because the service account does not have permissions to list failover policies for the entire cluster.
- The second request succeeds because the service account can list Gloo failover policies in the
gloo-mesh
namespace. - The third request fails because the service account cannot list Gloo admin resources such as workspaces.
-
-
Optional: Clean up the resources that you created.
kubectl delete -n gloo-mesh role gloo-view kubectl delete -n gloo-mesh rolebinding gloo-view-role-binding kubectl delete -n gloo-mesh serviceaccount gloo-rbac-service-account