Control user access to your resources

Use Kubernetes RBAC to control user access to Gloo resources in your clusters.

Before you begin

  1. Add the Gloo custom resources to all of your Kubernetes clusters. You add the CRs by installing Gloo Mesh and registering each workload cluster.
  2. Target the Kubernetes cluster that you want to modify RBAC rules for.
    kubectl config use-context $CONTEXT
    
  3. Optional: Make sure that the user or group that you want to grant access to has the proper permissions from your cloud provider. For more information, check your cloud provider identity and access management (IAM) documentation.
  4. Optional: Review how Kubernetes RBAC works.

Gloo API groups and resources for roles

Refer to the following examples for the Gloo API groups and resources that you can add to rules in Kubernetes RBAC roles or cluster roles. The examples are organized by the verbs that are allowed in the default Kubernetes Admin, Edit, and View roles.

To list the Gloo resources, their related API groups, and possible verbs, run the following command.

kubectl api-resources -o wide | grep gloo

rules:
- apiGroups:
  - admin.gloo.solo.io
  resources:
  - dashboards
  - extauthservers
  - gatewaylifecyclemanagers
  - istiolifecyclemanagers
  - kubernetesclusters
  - ratelimitserverconfigs
  - ratelimitserversettings
  - roottrustpolicies
  - workspaces
  - workspacesettings
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - apimanagement.gloo.solo.io
  resources:
  - apischemas
  - graphqlresolvermaps
  - graphqlschemas
  - graphqlstitchedschemas
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - extensions.policy.gloo.solo.io
  resources:
  - wasmdeploymentpolicies
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - networking.gloo.solo.io
  resources:
  - externalendpoints
  - externalservices
  - routetables
  - virtualdestinations
  - virtualgateways
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - observability.policy.gloo.solo.io
  resources:
  - accesslogpolicies
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - resilience.policy.gloo.solo.io
  resources:
  - connectionpolicies
  - failoverpolicies
  - faultinjectionpolicies
  - outlierdetectionpolicies
  - retrytimeoutpolicies
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - security.policy.gloo.solo.io
  resources:
  - accesspolicies
  - corspolicies
  - csrfpolicies
  - extauthpolicies
  - jwtpolicies
  - wafpolicies
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - trafficcontrol.policy.gloo.solo.io
  resources:
  - headermanipulationpolicies
  - mirrorpolicies
  - proxyprotocolpolicies
  - ratelimitclientconfigs
  - ratelimitpolicies
  - transformationpolicies
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch

rules:
- apiGroups:
  - admin.gloo.solo.io
  resources:
  - dashboards
  - extauthservers
  - gatewaylifecyclemanagers
  - istiolifecyclemanagers
  - kubernetesclusters
  - ratelimitserverconfigs
  - ratelimitserversettings
  - roottrustpolicies
  - workspaces
  - workspacesettings
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - apimanagement.gloo.solo.io
  resources:
  - apischemas
  - graphqlresolvermaps
  - graphqlschemas
  - graphqlstitchedschemas
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - extensions.policy.gloo.solo.io
  resources:
  - wasmdeploymentpolicies
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - networking.gloo.solo.io
  resources:
  - externalendpoints
  - externalservices
  - routetables
  - virtualdestinations
  - virtualgateways
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - observability.policy.gloo.solo.io
  resources:
  - accesslogpolicies
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - resilience.policy.gloo.solo.io
  resources:
  - connectionpolicies
  - failoverpolicies
  - faultinjectionpolicies
  - outlierdetectionpolicies
  - retrytimeoutpolicies
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - security.policy.gloo.solo.io
  resources:
  - accesspolicies
  - corspolicies
  - csrfpolicies
  - extauthpolicies
  - jwtpolicies
  - wafpolicies
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - trafficcontrol.policy.gloo.solo.io
  resources:
  - headermanipulationpolicies
  - mirrorpolicies
  - proxyprotocolpolicies
  - ratelimitclientconfigs
  - ratelimitpolicies
  - transformationpolicies
  verbs:
  - get
  - list
  - patch
  - update
  - watch

rules:
- apiGroups:
  - admin.gloo.solo.io
  resources:
  - dashboards
  - extauthservers
  - gatewaylifecyclemanagers
  - istiolifecyclemanagers
  - kubernetesclusters
  - ratelimitserverconfigs
  - ratelimitserversettings
  - roottrustpolicies
  - workspaces
  - workspacesettings
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apimanagement.gloo.solo.io
  resources:
  - apischemas
  - graphqlresolvermaps
  - graphqlschemas
  - graphqlstitchedschemas
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions.policy.gloo.solo.io
  resources:
  - wasmdeploymentpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.gloo.solo.io
  resources:
  - externalendpoints
  - externalservices
  - routetables
  - virtualdestinations
  - virtualgateways
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - observability.policy.gloo.solo.io
  resources:
  - accesslogpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - resilience.policy.gloo.solo.io
  resources:
  - connectionpolicies
  - failoverpolicies
  - faultinjectionpolicies
  - outlierdetectionpolicies
  - retrytimeoutpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - security.policy.gloo.solo.io
  resources:
  - accesspolicies
  - corspolicies
  - csrfpolicies
  - extauthpolicies
  - jwtpolicies
  - wafpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - trafficcontrol.policy.gloo.solo.io
  resources:
  - headermanipulationpolicies
  - mirrorpolicies
  - proxyprotocolpolicies
  - ratelimitclientconfigs
  - ratelimitpolicies
  - transformationpolicies
  verbs:
  - get
  - list
  - watch

Set up Kubernetes RBAC for Gloo resources

  1. List the Gloo resources, their related API groups, and possible verbs.

    kubectl api-resources -o wide | grep gloo
    

    Example output:

    ...
    NAME                 SHORTNAMES  APIVERSION                                       NAMESPACED  KIND                VERBS
    workspaces                                     admin.gloo.solo.io/v2                   true         Workspace                        [delete deletecollection get list patch create update watch]
    workspacesettings                              admin.gloo.solo.io/v2                   true         WorkspaceSettings                [delete deletecollection get list patch create update watch]
    routetables                                    networking.gloo.solo.io/v2              true         RouteTable                       [delete deletecollection get list patch create update watch]
    virtualdestinations                            networking.gloo.solo.io/v2              true         VirtualDestination               [delete deletecollection get list patch create update watch]
    virtualgateways                                networking.gloo.solo.io/v2              true         VirtualGateway                   [delete deletecollection get list patch create update watch]
    ...
    
  2. Optional: Get the details of an existing role or cluster role to modify, such as the default Kubernetes cluster roles admin, edit, and view.

    1. Get the name of the existing role that you want to modify.
      kubectl get roles -A
      
    2. Get the configuration of the role that you want to modify and save it as a local YAML file.
      kubectl get role $ROLE -o yaml > $ROLE.yaml
      
    1. Get the name of the existing cluster role that you want to modify.
      kubectl get clusterroles -A
      
    2. Get the configuration of the cluster role that you want to modify and save it as a local YAML file.
      kubectl get clusterrole $CLUSTER_ROLE -o yaml > $CLUSTER_ROLE.yaml
      

  3. Create or open the existing configuration file. In the rules section, add a stanza for the Gloo resources that you want to control permissions for. Use the API group, resource name, and verbs that you previously retrieved. For a full list, see Gloo API groups and resources. The following example creates a view-only role for Gloo policies and networking resources, but not for admin resources.

    kubectl apply -f - <<EOF
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      namespace: gloo-mesh
      name: gloo-view
    rules:
    - apiGroups:
      - extensions.policy.gloo.solo.io
      resources:
      - wasmdeploymentpolicies
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - networking.gloo.solo.io
      resources:
      - externalendpoints
      - externalservices
      - routetables
      - virtualdestinations
      - virtualgateways
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - observability.policy.gloo.solo.io
      resources:
      - accesslogpolicies
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - resilience.policy.gloo.solo.io
      resources:
      - connectionpolicies
      - failoverpolicies
      - faultinjectionpolicies
      - outlierdetectionpolicies
      - retrytimeoutpolicies
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - security.policy.gloo.solo.io
      resources:
      - accesspolicies
      - corspolicies
      - csrfpolicies
      - extauthpolicies
      - jwtpolicies
      - wafpolicies
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - trafficcontrol.policy.gloo.solo.io
      resources:
      - headermanipulationpolicies
      - mirrorpolicies
      - proxyprotocolpolicies
      - ratelimitclientconfigs
      - ratelimitpolicies
      - transformationpolicies
      verbs:
      - get
      - list
      - watch
    EOF
    
  4. Create a service account in the same namespace as your role to test permissions.

    kubectl create serviceaccount gloo-rbac-service-account -n gloo-mesh
    
  5. Create or a role binding or cluster role binding that maps the user or service account as a subject for the role or cluster role that you updated. The following example creates a role binding for the service account that you created in the previous step. For more information, see the Kubernetes docs.

    kubectl apply -f - <<EOF
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: gloo-view-role-binding
      namespace: gloo-mesh
    subjects:
    - namespace: gloo-mesh 
      kind: ServiceAccount
      name: gloo-rbac-service-account
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: gloo-view
    EOF
    
  6. Check the permissions that the service account has.

    kubectl auth can-i get failoverpolicies --as=system:serviceaccount:gloo-mesh:gloo-rbac-service-account -n gloo-mesh
    kubectl auth can-i get workspaces --as=system:serviceaccount:gloo-mesh:gloo-rbac-service-account -n gloo-mesh
    kubectl auth can-i get failoverpolicies --as=system:serviceaccount:gloo-mesh:gloo-rbac-service-account
    

    Example output:

    • yes: The service account can get failover policies in the gloo-mesh namespace, as expected.
    • no: The service account cannot get workspaces in the gloo-mesh namespace, because the role only gives viewer permissions for Gloo policies, not admin resources.
    • no: The service account cannot get failover policies in the default namespace, because the role and role binding are scoped to the gloo-mesh namespace.
    kubectl auth can-i --list --as=system:serviceaccount:gloo-mesh:gloo-rbac-service-account -n gloo-mesh
    

    Example output:

    Resources                                                       Non-Resource URLs                     Resource Names   Verbs
    wasmdeploymentpolicies.extensions.policy.gloo.solo.io           []                                    []               [get list watch]
    externalendpoints.networking.gloo.solo.io                       []                                    []               [get list watch]
    externalservices.networking.gloo.solo.io                        []                                    []               [get list watch]
    routetables.networking.gloo.solo.io                             []                                    []               [get list watch]
    virtualdestinations.networking.gloo.solo.io                     []                                    []               [get list watch]
    virtualgateways.networking.gloo.solo.io                         []                                    []               [get list watch]
    accesslogpolicies.observability.policy.gloo.solo.io             []                                    []               [get list watch]
    connectionpolicies.resilience.policy.gloo.solo.io               []                                    []               [get list watch]
    failoverpolicies.resilience.policy.gloo.solo.io                 []                                    []               [get list watch]
    faultinjectionpolicies.resilience.policy.gloo.solo.io           []                                    []               [get list watch]
    outlierdetectionpolicies.resilience.policy.gloo.solo.io         []                                    []               [get list watch]
    retrytimeoutpolicies.resilience.policy.gloo.solo.io             []                                    []               [get list watch]
    accesspolicies.security.policy.gloo.solo.io                     []                                    []               [get list watch]
    corspolicies.security.policy.gloo.solo.io                       []                                    []               [get list watch]
    csrfpolicies.security.policy.gloo.solo.io                       []                                    []               [get list watch]
    extauthpolicies.security.policy.gloo.solo.io                    []                                    []               [get list watch]
    jwtpolicies.security.policy.gloo.solo.io                        []                                    []               [get list watch]
    wafpolicies.security.policy.gloo.solo.io                        []                                    []               [get list watch]
    headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io   []                                    []               [get list watch]
    mirrorpolicies.trafficcontrol.policy.gloo.solo.io               []                                    []               [get list watch]
    proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io        []                                    []               [get list watch]
    ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io       []                                    []               [get list watch]
    ratelimitpolicies.trafficcontrol.policy.gloo.solo.io            []                                    []               [get list watch]
    transformationpolicies.trafficcontrol.policy.gloo.solo.io       []                                    []               [get list watch]
    

  7. Verify that the service account can get the resources.

    1. Get and decode the token from the secret for the service account.

      kubectl get secrets  -n gloo-mesh $(kubectl get serviceaccount gloo-rbac-service-account -n gloo-mesh -o=jsonpath='{.secrets[0].name}') -o=jsonpath='{.data.token}' | base64 -D
      
    2. Save the token output of the previous step as an environment variable.

      export SA_TOKEN=<ey...>
      
    3. Get the cluster endpoint for API access.

      kubectl get endpoints | grep kubernetes
      

      Example output:

      kubernetes   34.xx.xxx.xxx:443   1d
      
    4. Save the cluster endpoint without the port as an environment variable.

      export CLUSTER_ENDPOINT=<34.xx.xxx.xxx>
      
    5. Send some curl requests to the cluster endpoint with the service account token. Note that some succeed and some fail based on the permissions of the service account.

      curl -k  https://$CLUSTER_ENDPOINT/apis/resilience.policy.gloo.solo.io/v2/failoverpolicies -H "Authorization: Bearer $SA_TOKEN"
      curl -k  https://$CLUSTER_ENDPOINT/apis/resilience.policy.gloo.solo.io/v2/namespaces/gloo-mesh/failoverpolicies -H "Authorization: Bearer $SA_TOKEN"
      curl -k  https://$CLUSTER_ENDPOINT/apis/admin.gloo.solo.io/v2/namespaces/gloo-mesh/workspaces -H "Authorization: Bearer $SA_TOKEN"
      

      Example output:

      • The first request fails because the service account does not have permissions to list failover policies for the entire cluster.
      • The second request succeeds because the service account can list Gloo failover policies in the gloo-mesh namespace.
      • The third request fails because the service account cannot list Gloo admin resources such as workspaces.
  8. Optional: Clean up the resources that you created.

    kubectl delete -n gloo-mesh role gloo-view
    kubectl delete -n gloo-mesh rolebinding gloo-view-role-binding
    kubectl delete -n gloo-mesh serviceaccount gloo-rbac-service-account