Role-based Access Control (RBAC) objects determine whether a user is allowed to perform a given action within a project.
It allows developers to use to control who has access to their projects. Note that authorization is a separate step from authentication, which is more about determining the identity of who is taking the action.
Authorization is managed using:
Sets of permitted verbs on a set of
objects. For example, whether something can
|
|
Collections of rules. Users and groups can be associated with, or bound to, multiple |
|
Associations between users and/or groups with a |
The relationships between cluster roles, local roles, cluster role bindings, local role bindings, users, groups and service accounts are illustrated below.
Several factors are combined to make the decision when {product-title} evaluates authorization:
In the context of authorization, both the user name and list of groups the user belongs to. |
|||||||
The action being performed. In most cases, this consists of:
|
|||||||
Bindings |
The full list of bindings. |
{product-title} evaluates authorizations using the following steps:
-
The identity and the project-scoped action is used to find all bindings that apply to the user or their groups.
-
Bindings are used to locate all the roles that apply.
-
Roles are used to find all the rules that apply.
-
The action is checked against each rule to find a match.
-
If no matching rule is found, the action is then denied by default.