Skip to content

Role-Based Access Control (RBAC)

Configure RBAC for kMetal platform and tenant cluster access control.

Platform RBAC

Admin Roles

Platform Administrator

# platform-admin-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kmetal-platform-admin
rules:

- apiGroups: ["kamaji.clastix.io"]
  resources: ["tenantcontrolplanes", "datastores"]
  verbs: ["*"]

- apiGroups: ["cluster.x-k8s.io"]
  resources: ["clusters", "machines", "machinedeployments"]
  verbs: ["*"]

- apiGroups: ["infrastructure.cluster.x-k8s.io"]
  resources: ["*"]
  verbs: ["*"]

- apiGroups: [""]
  resources: ["secrets", "configmaps"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kmetal-platform-admin-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kmetal-platform-admin
subjects:

- kind: Group
  name: platform-admins
  apiGroup: rbac.authorization.k8s.io

Platform Viewer

# platform-viewer-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kmetal-platform-viewer
rules:

- apiGroups: ["kamaji.clastix.io"]
  resources: ["tenantcontrolplanes", "datastores"]
  verbs: ["get", "list", "watch"]

- apiGroups: ["cluster.x-k8s.io"]
  resources: ["clusters", "machines", "machinedeployments"]
  verbs: ["get", "list", "watch"]

- apiGroups: [""]
  resources: ["pods", "services", "events"]
  verbs: ["get", "list", "watch"]

Tenant Operator Roles

Cluster Creator

# tenant-cluster-creator.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kmetal-cluster-creator
rules:

- apiGroups: ["kamaji.clastix.io"]
  resources: ["tenantcontrolplanes"]
  verbs: ["create", "get", "list", "watch", "update", "patch"]

- apiGroups: ["cluster.x-k8s.io"]
  resources: ["clusters", "machinedeployments"]
  verbs: ["create", "get", "list", "watch", "update", "patch"]

- apiGroups: ["infrastructure.cluster.x-k8s.io"]
  resources: ["*"]
  verbs: ["create", "get", "list", "watch", "update", "patch"]

- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create", "get", "list"]
  resourceNames: ["*-kubeconfig"]

Cluster Manager

# tenant-cluster-manager.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: kmetal-cluster-manager
  namespace: tenant-namespace
rules:

- apiGroups: ["kamaji.clastix.io"]
  resources: ["tenantcontrolplanes"]
  verbs: ["get", "list", "watch", "update", "patch", "delete"]

- apiGroups: ["cluster.x-k8s.io"]
  resources: ["clusters", "machines", "machinedeployments"]
  verbs: ["get", "list", "watch", "update", "patch", "delete", "scale"]

- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list"]
  resourceNames: ["*-kubeconfig"]

Tenant Cluster RBAC

Namespace Admin

# tenant-namespace-admin.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-admin
  namespace: application-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:

- kind: User
  name: dev-team@company.com
  apiGroup: rbac.authorization.k8s.io

Application Developer

# app-developer-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: app-developer
  namespace: application-namespace
rules:

- apiGroups: ["apps"]
  resources: ["deployments", "replicasets", "statefulsets", "daemonsets"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

- apiGroups: [""]
  resources: ["pods", "services", "configmaps", "secrets"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

- apiGroups: [""]
  resources: ["pods/log", "pods/status"]
  verbs: ["get", "list"]

- apiGroups: ["batch"]
  resources: ["jobs", "cronjobs"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

OIDC Integration

Configure OIDC Provider

t.b.d.

OIDC on the tenant api-server is set via apiServer extra-args on the underlying Kamaji control plane. The kubevirt-kubeadm ClusterClass on the under cluster does not currently expose these flags as topology variables; configuring OIDC therefore requires either:

  • the platform admin to extend the ClusterClass with an OIDC variable that pipes into apiServer.extraArgs, or
  • direct patching of the auto-created KamajiControlPlane (will be reverted by CACPK if the topology re-applies).

A worked example with the canonical extension point is t.b.d. in this section.

Create OIDC Group Bindings

# oidc-group-bindings.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: oidc-cluster-admins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:

- kind: Group
  name: oidc:admins
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: oidc-developers
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit
subjects:

- kind: Group
  name: oidc:developers
  apiGroup: rbac.authorization.k8s.io

Service Account Management

Platform Service Accounts

# platform-sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kmetal-automation
  namespace: kmetal-flux
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kmetal-automation-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kmetal-platform-admin
subjects:

- kind: ServiceAccount
  name: kmetal-automation
  namespace: kmetal-flux
---
apiVersion: v1
kind: Secret
metadata:
  name: kmetal-automation-token
  namespace: kmetal-flux
  annotations:
    kubernetes.io/service-account.name: kmetal-automation
type: kubernetes.io/service-account-token

Tenant Service Accounts

# tenant-sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ci-cd-deployer
  namespace: application-namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ci-cd-deployer-binding
  namespace: application-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: app-developer
subjects:

- kind: ServiceAccount
  name: ci-cd-deployer
  namespace: application-namespace

Audit Logging

Enable Audit Logging

# audit-policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:

- level: Metadata
  resources:

  - group: "kamaji.clastix.io"
    resources: ["tenantcontrolplanes"]

- level: RequestResponse
  verbs: ["create", "update", "patch", "delete"]
  resources:

  - group: "cluster.x-k8s.io"
- level: Metadata
  omitStages:

  - RequestReceived

Configure Audit Webhook

t.b.d.

Audit policy and webhook flags on the tenant api-server are set via apiServer extra-args plus mounted volumes for the policy / webhook config files. The current kubevirt-kubeadm ClusterClass does not expose these as topology variables; the audit webhook setup is t.b.d. until the ClusterClass is extended with audit variables (or until a direct-patch escape hatch is documented).

Monitoring RBAC

Check User Permissions

# Check current user permissions
kubectl auth can-i create tenantcontrolplanes

# Check specific user permissions
kubectl auth can-i list pods --as=user@company.com

# Check service account permissions
kubectl auth can-i delete deployments \
  --as=system:serviceaccount:default:ci-cd-deployer \
  -n application-namespace

Audit RBAC Configuration

# List all ClusterRoles
kubectl get clusterroles | grep kmetal

# List all ClusterRoleBindings
kubectl get clusterrolebindings | grep kmetal

# Check who can perform actions
kubectl auth can-i --list --as=user@company.com

# Review Role bindings in namespace
kubectl get rolebindings -n tenant-namespace -o wide