Skip to main content
Version: 0.9.x

Role

Role is a named collection of permissions that can be assigned to any user or team in the system. The set of actions that can be performed by a user, such as the ability to create, delete, or update configuration will depend on the permissions associated with the user's role. Roles are global resources that are defined once. RoleBindings in each configuration group will bind a user to a specific role defined apriori.

The following example declares a workspace-admin role with the ability to create, delete configurations and the ability to set RBAC policies on the groups within the workspace.

apiVersion: rbac.tsb.tetrate.io/v2
kind: Role
metadata:
  name: role1
spec:
  rules:
  - types:
    - apiGroup: api.tsb.tetrate.io/v2
      kinds:
      - WorkspaceSetting
    permissions:
    - CREATE
    - READ
    - DELETE
    - WRITE
    - SET_POLICY

Role

Role is a named collection of permissions that can be assigned to any user or team in the system.

FieldDescriptionValidation Rule

rules

List of tetrateio.api.tsb.rbac.v2.Role.Rule
A set of rules that define the permissions associated with each API group. The current version supports only one rule, but this constraint will be relaxed in upcoming releases.

repeated = {
  min_items: 1
  max_items: 1
}

ResourceType

The type of API resource for which the role is being created.

FieldDescriptionValidation Rule

apiGroup

string
REQUIRED
A specific API group such as traffic.tsb.tetrate.io/v2.

string = {
  min_len: 1
}

kinds

List of string
Specific kinds of APIs under the API group. If omitted, the role will apply to all kinds under the group.

Rule

A rule defines the set of api groups

FieldDescriptionValidation Rule

types

List of tetrateio.api.tsb.rbac.v2.Role.ResourceType
REQUIRED
The set of API groups and the api Kinds within the group on which this rule is applicable.

repeated = {
  min_items: 1
}

permissions

List of tetrateio.api.tsb.rbac.v2.Permission
REQUIRED
The set of actions allowed for these APIs. The current version supports requires the kind, but this constraint will be relaxed in upcoming releases so that rules can apply globally to an entire API group.

repeated = {
  min_items: 1
}