Control user access to your resources

Use Kubernetes RBAC to control user access to Gloo Mesh resources in your clusters.

Before you begin

  1. Add the Gloo Mesh custom resources to all of your Kubernetes clusters. You add the CRs by installing Gloo Mesh and registering each workload cluster.
  2. Target the Kubernetes cluster that you want to modify RBAC rules for.
    kubectl config use-context $CONTEXT
    
  3. Optional: Review how Kubernetes RBAC works with Gloo Platform.

Set up Kubernetes RBAC for Gloo Mesh resources

  1. List the Gloo Mesh resources and their related API groups and possible verbs.

    kubectl api-resources -o wide | grep gloo
    

    Example output:

    ...
    NAME                 SHORTNAMES  APIVERSION                                       NAMESPACED  KIND                VERBS
    workspaces                                     admin.gloo.solo.io/v2                   true         Workspace                        [delete deletecollection get list patch create update watch]
    workspacesettings                              admin.gloo.solo.io/v2                   true         WorkspaceSettings                [delete deletecollection get list patch create update watch]
    routetables                                    networking.gloo.solo.io/v2              true         RouteTable                       [delete deletecollection get list patch create update watch]
    virtualdestinations                            networking.gloo.solo.io/v2              true         VirtualDestination               [delete deletecollection get list patch create update watch]
    virtualgateways                                networking.gloo.solo.io/v2              true         VirtualGateway                   [delete deletecollection get list patch create update watch]
    ...
    
  2. Find the roles and cluster roles that you want to modify. In this example, the default Kubernetes cluster roles admin, edit, and view are used.

    kubectl get roles,clusterroles -A
    
  3. Export the role that you want to modify as a local YAML file.

    
       kubectl get clusterrole $CLUSTER_ROLE -o yaml > $CLUSTER_ROLE.yaml
       
    
       kubectl get role $ROLE -o yaml > $ROLE.yaml
       
  4. Open the YAML file. In the rules section, add a stanza for the Gloo Mesh resources that you want to control permissions for. Use the API group, resource name, and verbs that you previously retrieved, such as in the following examples.

    
       apiVersion: rbac.authorization.k8s.io/v1
       kind: ClusterRole
       rules:
       - apiGroups:
         - admin.gloo.solo.io/v2
         - enterprise.gloo.solo.io/v1
         - extensions.policy.gloo.solo.io/v2
         - networking.gloo.solo.io/v2
         - observability.policy.gloo.solo.io/v2
         - resilience.policy.gloo.solo.io/v2
         - security.policy.gloo.solo.io/v2
         - trafficcontrol.policy.gloo.solo.io/v2
         resources:
         - dashboards
         - extauthservers
         - kubernetesclusters
         - ratelimitserverconfigs
         - ratelimitserversettings
         - roottrustpolicies
         - workspaces
         - workspacesettings
         - authconfigs
         - wasmdeploymentpolicies
         - externalendpoints
         - externalservices
         - routetables
         - virtualdestinations
         - virtualgateways
         - accesslogpolicies
         - failoverpolicies
         - faultinjectionpolicies
         - outlierdetectionpolicies
         - retrytimeoutpolicies
         - accesspolicies
         - corspolicies
         - csrfpolicies
         - extauthpolicies
         - mirrorpolicies
         - ratelimitclientconfigs
         - ratelimitpolicies
         - transformationpolicies
         verbs:
         - create
         - delete
         - deletecollection
         - get
         - patch
         - update
         - watch
       
    
       apiVersion: rbac.authorization.k8s.io/v1
       kind: ClusterRole
       rules:
       - apiGroups:
         - admin.gloo.solo.io/v2
         - enterprise.gloo.solo.io/v1
         - extensions.policy.gloo.solo.io/v2
         - networking.gloo.solo.io/v2
         - observability.policy.gloo.solo.io/v2
         - resilience.policy.gloo.solo.io/v2
         - security.policy.gloo.solo.io/v2
         - trafficcontrol.policy.gloo.solo.io/v2
         resources:
         - dashboards
         - extauthservers
         - kubernetesclusters
         - ratelimitserverconfigs
         - ratelimitserversettings
         - roottrustpolicies
         - workspaces
         - workspacesettings
         - authconfigs
         - wasmdeploymentpolicies
         - externalendpoints
         - externalservices
         - routetables
         - virtualdestinations
         - virtualgateways
         - accesslogpolicies
         - failoverpolicies
         - faultinjectionpolicies
         - outlierdetectionpolicies
         - retrytimeoutpolicies
         - accesspolicies
         - corspolicies
         - csrfpolicies
         - extauthpolicies
         - mirrorpolicies
         - ratelimitclientconfigs
         - ratelimitpolicies
         - transformationpolicies
         verbs:
         - get
         - patch
         - update
         - watch
       
    
       apiVersion: rbac.authorization.k8s.io/v1
       kind: ClusterRole
       rules:
       - apiGroups:
         - admin.gloo.solo.io/v2
         - enterprise.gloo.solo.io/v1
         - extensions.policy.gloo.solo.io/v2
         - networking.gloo.solo.io/v2
         - observability.policy.gloo.solo.io/v2
         - resilience.policy.gloo.solo.io/v2
         - security.policy.gloo.solo.io/v2
         - trafficcontrol.policy.gloo.solo.io/v2
         resources:
         - dashboards
         - extauthservers
         - kubernetesclusters
         - ratelimitserverconfigs
         - ratelimitserversettings
         - roottrustpolicies
         - workspaces
         - workspacesettings
         - authconfigs
         - wasmdeploymentpolicies
         - externalendpoints
         - externalservices
         - routetables
         - virtualdestinations
         - virtualgateways
         - accesslogpolicies
         - failoverpolicies
         - faultinjectionpolicies
         - outlierdetectionpolicies
         - retrytimeoutpolicies
         - accesspolicies
         - corspolicies
         - csrfpolicies
         - extauthpolicies
         - mirrorpolicies
         - ratelimitclientconfigs
         - ratelimitpolicies
         - transformationpolicies
         verbs:
         - get
         - watch
       

  5. Save and apply the updated role to your cluster.

    kubectl apply -f $ROLE.yaml
    
  6. Make sure that the users are subjects in the role binding or cluster role binding for the role that you updated.

  7. Repeat for each cluster in your Gloo Mesh environment.