RBAC for resources in the UI
Review how Gloo Mesh Enterprise uses RBAC resources to decide what resources to display in the Gloo UI.
You can use Kubernetes RBAC to authorize users to view resources in the Gloo UI. To do so, you must use the Gloo UI dashboard settings to specify how to map users that were authenticated with the OIDC provider to users and their associated RBAC roles in the cluster.
- For more information, see Set up external auth for the Gloo UI.
- For an example setup, see AuthN and AuthZ with Dex.
RBAC permissions to view resources
To control access to Gloo Mesh Enterprise resources, you set up Kubernetes RBAC. Users’ RBAC permissions control what resources they can see in the Gloo UI.
Minimum permissions: To see resources in the Gloo UI, a user must have view
permissions to at least 1 workspace settings resource in RBAC.
Review the following table for more details about what users can see with certain permissions. The header row is if a user has permission only to that resource.
Permission | Workspace | Workspace setting | Kubernetes cluster | Resource in workspace | Resource NOT in workspace | Imported resource* |
---|---|---|---|---|---|---|
Resource details within the workspace | ❌ | ✅ | ❌ | ✅ | ❌ | ✅ |
Workspace summary details, such as number of namespaces or services | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
Cluster details, such as cluster names, Kubernetes version, and Istio version | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
*
The visibility of imported resources depends on your access to the workspace settings. With access to the importing workspace settings only, you can see summary information such as the number of imported resources. With access to both the importing and exporting workspace settings, you can also see the resource details.