Version 2.11 - Latest version

Available versions

2.11 - Latest version
2.10
2.9
2.7 - EOL/Unsupported
2.6 - EOL/Unsupported
2.8 - EOL/Unsupported
2.5 - EOL/Unsupported
2.4 - EOL/Unsupported
2.3 - EOL/Unsupported
2.2 - EOL/Unsupported
2.1 - EOL/Unsupported

Configure role-based access control

The following steps guide you through configuring role-based access control (RBAC) in a Kf Space.

Before you begin

Please follow the GKE RBAC guide before continuing with the following steps.

Configure Identity and Access Management (IAM)

In addition to permissions granted through Kf RBAC, users, groups, or service accounts must also be authenticated to view GKE clusers at the project level. This requirement is the same as for configuring GKE RBAC, meaning users/groups must have at least the container.clusters.get IAM permission in the project containing the cluster. This permission is included by the container.clusterViewer role, and other more privilleged roles. For more information, review Interaction with Identity and Access Management .

Assign container.clusterViewer to a user or group.

 gcloud  
projects  
add-iam-policy-binding  
 ${ 
 CLUSTER_PROJECT_ID 
 } 
  
 \ 
  
--role = 
 "container.clusterViewer" 
  
 \ 
  
--member = 
 " 
 ${ 
 MEMBER 
 } 
 "

Example member values are:

user:test-user@gmail.com
group:admins@example.com
serviceAccount:test123@example.domain.com

Manage Space membership as SpaceManager

The cluster admin role, or members with SpaceManagerrole, can assign role to a user, group or service account.

 kf  
set-space-role  
MEMBER  
-t  
 [ 
Group | 
ServiceAccount | 
User ]

The cluster admin role, or members with SpaceManagerrole, can remove a member from a role.

 kf  
unset-space-role  
MEMBER  
-t  
 [ 
Group | 
ServiceAccount | 
User ]

You can view members and their roles within a Space.

 kf  
space-users

Examples

Assign SpaceDeveloperrole to a user.

 kf  
set-space-role  
alice@example.com  
SpaceDeveloper

Assign SpaceDeveloperrole to a group.

 kf  
set-space-role  
devs@example.com  
SpaceDeveloper  
-t  
Group

Assign SpaceDeveloperrole to a Service Account.

 kf  
set-space-role  
sa-dev@example.domain.com  
SpaceDeveloper  
-t  
ServiceAccount

App development as SpaceDeveloper

Members with SpaceDeveloperrole can perform Kf App development operations within the Space.

To push an App:

 kf  
push  
app_name  
-p  
 [ 
PATH_TO_APP_ROOT_DIRECTORY ]

To view logs of an App: posix-terminal kf logs app_name

SSH into a Kubernetes Pod running the App: posix-terminal kf ssh app_name

View available service brokers:

 kf  
marketplace

View Apps as SpaceManager or SpaceAuditor

Members with SpaceManageror SpaceAuditorrole could view available Apps within the Space:

 kf  
apps

View Kf Spaces within a cluster

All roles ( SpaceManager, SpaceDeveloper, and SpaceAuditor) can view available Kf Spaces within a cluster:

 kf  
spaces

View Space members and their roles within a Space.

 kf  
space-users

Impersonation flags

To verify a member's permission, a member with more priviliaged permission can test another member's permissions using the impersonation flags: --as and --as-group .

For example, as a cluster admin, you can verify if a user (username: bob) has permission to push an App.

 kf  
push  
APP_NAME  
--as  
bob

Verify a group (manager-group@example.com) has permission to assign permission to other members.

 kf  
set-space-role  
bob  
SpaceDeveloper  
--as-group  
manager-group@example.com

Configure role-based access control Stay organized with collections Save and categorize content based on your preferences.