Skip to content

Configure permissions#

Lens paid subscription feature

This page contains instructions for creating a team and configuration of permissions within a namespace of a team cluster.

There are default roles that define permissions to a team space and clusters within. For custom permission configurations, consider creating the following RBAC API objects:

  • Role

    API object that sets permissions within a particular namespace.

  • RoleBinding

    API object that grants the permissions defined in a role to a user or a set of users. A RoleBinding can contain users, groups (teams), and service accounts.

Using Role and RoleBinding allows you to grant permissions for a team or particular users.

For details about RBAC customization, see Roles and permissions in Lens Teamwork.

See also

Roles and permissions in Lens Teamwork.

Prerequisites#

Before configuring permissions for a namespace, check the following list of prerequisites:

  • Make sure that you are a Lens Pro or Lens Enterprise subscription user. See Lens Pricing for details.
  • For Lens Enterprise subscription users: check that the Lens Teamwork feature is enabled by your LBID administrator.
  • Make sure that you have at least the Admin role on your team cluster, or you have a set of permissions allowing you creating Kubernetes cluster objects within the namespace.

Create a team#

To create a team within the team space:

  1. In the space settings menu, navigate to Teams.
  2. Click Create New Team, type the team name in the following input field, and press Enter.

You can find your new team in the list of teams.

Click Options to manage team members, or remove the space.

Create Role#

  1. From the team space cluster, navigate to Access Control > Role Bindings and click Create new RoleBinding in the bottom-left corner.
  2. In the dialog menu, fill the required fields and click Done.
  3. In the details panel, click Edit to open the template editor.
  4. In the template editor, specify the namespace and a set of permissions for the namespace.
  1. In the team space, navigate to the team space cluster.
  2. In the Bottom Bar, click New tab > Create resource.
  3. In the following Select Template list, select Role.
  4. In the template editor, specify the namespace and a set of permissions for the namespace.

The following template example shows a configuration that sets permissions for pods within the default namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: <role-name>
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]

In the verbs field, specify the API request verbs . These verbs define actions that users can perform with cluster resources.

HTTP verb Request verb Comment
POST create Enables creating a resource
GET, HEAD
  • get

    For individual resources

  • list

    For collections, including full object content

  • watch

    For watching an individual resource or collection of resources

 Return full details of a resource, they are equivalent in terms of access to the returned data
PUT update Updates a resource by replacing it
PATCH patch Applies partial modifications to a resource
DELETE
  • delete

    For individual resources

  • deletecollection

    For collections

 Remove a resource

Create RoleBinding#

  1. In the team space, navigate to the team space cluster.
  2. Navigate to Access Control > Role Bindings and click Create new RoleBinding in the bottom-left corner.

  3. In the Add RoleBinding dialog, fill the required fields:

    Field Comment
    Namespace Specify the namespace. Type or select from the drop-down list.
    Role Reference Associate the RoleBinding with the role. Make sure that the role exists in the specified namespace.
    Binding Name Type the name of the RoleBinding.
    Users Associate one or several users with this RoleBinding. For each user, type a username and press Enter.
    Groups Associate one or several groups of users (teams) with this RoleBinding. When typing the team name, keep the mandatory syntax: lens-spaces:<name-of-the-team>. To specify the next team, press Enter.
    Service Accounts Associate one or several service accounts with this RoleBinding. Select from the drop-down list.

You can create a RoleBinding through the built-in template:

  1. In the team space, navigate to the team space cluster.
  2. In the Bottom Bar, click New tab > Create resource.
  3. In Select Template, select RoleBinding.

Refer to the following RoleBinding configuration example: The following template example shows a configuration that grants permissions defined in a role to a set of subjects (a user, a user group, and a service account). RoleBinding grants permissions within the default namespace as the corresponding Role.

apiVersion: rbac.authorization.k8s.io/v1

kind: RoleBinding
metadata:
  name: <RoleBinding-name>
  namespace: default
subjects:
# Specify one or several subjects (users, groups, or service accounts) in this field
  - kind: User
    name: <username> # This field is case-sensitive
    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: lens-spaces:<team-space-name> # This field is case-sensitive, the prefix `lens-spaces` is obligatory for specifying the team space
    apiGroup: rbac.authorization.k8s.io
  - kind: ServiceAccount
    name: <service-account-name> # This field is case-sensitive
    apiGroup: rbac.authorization.k8s.io
roleRef:
# Associate the RoleBinding with a Role or a ClusterRole in this field
  kind: Role # This field can have only two values: `Role` or `ClusterRole`
  name: <cluster-role-name> # Specify the name of the Role or the ClusterRole you need
  apiGroup: rbac.authorization.k8s.io