User access
Gloo provides tools to secure network traffic to the workloads in your cluster. To control user access to Gloo resources, use Gloo workspaces together with Kubernetes role-based access control (RBAC).
Kubernetes access control determines how users can access and configure Gloo, Cilium, and Kubernetes resources.
Looking for steps on how to use Kubernetes RBAC with Gloo Platform? See Control user access to your resources.
Native Kubernetes RBAC
To manage how users can access and configure those resources, use native Kubernetes role-based access control (RBAC). You can add the custom Gloo resources to your existing Kubernetes roles or cluster roles. Then, users with those roles get the permission that you grant. For an example, see Example RBAC configuration.
Kubernetes RBAC is not integrated with Gloo custom resources in any special way. For example, the Gloo custom resources are not automatically added to any Kubernetes roles. Also, granting users permission to the workspace resource does not automatically give permission to all of the resources within that workspace.
Example RBAC configuration
Use Kubernetes RBAC to control user access to Gloo resources. One approach might be to modify the default Kubernetes roles for Gloo resources, such as in the following example.
Looking for steps on how to use Kubernetes RBAC with Gloo Platform? See Control user access to your resources.
Example RBAC roles by persona
| Persona | Roles | Rationale |
|---|---|---|
| Pam, Platform Admin | The cluster-admin cluster role for all clusters in your setup. |
To install Gloo Network and to add users to the clusters. |
| Arjay, App Owner | The cluster-admin cluster role for the cluster or admin or edit role for the namespace that has the workspace settings resource. |
To update the workspace settings and to help manage any Gloo Network resources that the team wants to access. |
| Oliver, Operator | The admin or edit role for each namespace he is responsible for operating. |
To create Gloo Network resources such as policies for the namespace. |
| Alice, App Developer | The edit role for each namespace where she needs to deploy her app. |
To create Kubernetes resources such as a Deployment and Service, or Gloo Network resources such as a policy. |