Skip to content

Roles and permissions in Lens Teamwork#

Lens Teamwork support role-based access control (RBAC) for spaces and connected clusters. Users can get their permissions in the following ways:

  • Default space roles
  • Team permissions
  • Personal permissions

Default roles#

The default space roles define permissions for a space itself and for the clusters connected to the space. There are the following default roles:

  • Owner

    Creates a space and has full control of it. Has read and write access to all connected clusters in a space.

  • Admin

    Creates and administers teams within a space. Has read and write access to all connected clusters in a space.

  • Member

    Observes a space and has read access to all connected clusters in a space. Each new space member assigns to the Member role by default.

Custom RBAC configuration#

Users with read and write access to a space cluster can customize cluster permissions by creating sets of RBAC API Kubernetes objects. For example, you set permissions for particular actions within particular cluster objects for a team.

A team is a group of space users that have certain permissions to a space cluster. A user can participate in multiple teams within a space.

You can either set permissions within a particular namespace, or on a cluster-scope. To configure RBAC for a team, you need to specify permissions in a Role/ClusterRole and then grant these permissions to a team in a corresponding RoleBinding/ClusterRoleBinding. Schematically, the process of granting permissions looks as follows:

graph LR
   A[Start] --> B((Cluster wise))
   B --> C[ClusterRole]
   C --> D[ClusterRoleBinding]
   D --> H[Finish]
   A --> E((Namespace wise))
   E --> F[Role]
   F --> G[RoleBinding]
   G --> H

Find brief descriptions of the RBAC API objects in the table below:

API object Comment
Role Sets permissions within a particular namespace.
ClusterRole Sets permissions cluster wide.
RoleBinding Grants permissions to users and user groups within a specific namespace.
ClusterRoleBinding Grants cluster wide permissions to users and user groups.

Note

For more information about Kubernetes RBAC see Using RBAC Authorization .

See an example of permission configuration in Configure permissions for a namespace