Skip to content

Users

Users are defined via the User Custom Resource Definition. Users can be used to define the permissions for authenticated users and to customize the profile page.

Profile

Specification

In the following you can found the specification for the User CRD.

Field Type Description Required
email string The email address of the authenticated user. This is used to connect the authenticated user with this CR. Yes
permissions Permissions Permissions for the user when the authentication / authorization middleware is enabled. No
dashboards []Dashboard A list of dashboards which will be shown on the users profile page. No
notifications Notifications Overwrite the global notification settings for this user. No

Permissions

Field Type Description Required
applications []Application Define a list of application permissions, to specify which applications can be accessed by a user Yes
teams []string Define a list of teams (must match the corresponding group field of a team) which can be viewed by a user. The specifal character * can be used to allow a user to view all teams Yes
plugins []Plugin A list of plugins, which can be accessed by a user. Yes
resources []Resources A list of resources, which can be accessed by the user. Yes

Application

Field Type Description Required
type string The type which should be used for the application permissions. This must be all to allow access to all applications, own to only allow access to applications owned by a team where the user is part of or custom to set the permissions based on satellites, clusters and namespaces. Yes
satellites []string A list of satellites from which applications can be accessed by the user, when the permission type is custom. The special character * can be used to include all satellites. No
clusters []string A list of clusters from which applications can be accessed by the user, when the permission type is custom. The special character * can be used to include all clusters. No
namespaces []string A list of namespaces from which applications can be accessed by the user, when the permission type is custom. The special character * can be used to include all namespaces. No

Plugin

Field Type Description Required
nsatellite string The satellite of the plugin instance, where it is configured. The special character * can be used to include all satellites. Yes
name string The name of the plugin instance as it is defined in the configuration. The special character * can be used to include all names. Yes
type string The type of the plugin instance as it is defined in the configuration. The special character * can be used to include all types. Yes
permissions any The permissions, which should be grant to a user. The format of this property is different for each plugin. You can find an example for each plugin on the corresponding plugin page in the documentation. No

Resources

Field Type Description Required
satellites []string A list of satellites to allow access to. The special list entry * allows access to all satellites. Yes
clusters []string A list of clusters to allow access to. The special list entry * allows access to all clusters. Yes
namespaces []string A list of namespaces to allow access to. The special list entry * allows access to all namespaces. Yes
resources []string A list of resources to allow access to. The special list entry * allows access to all resources. Yes
verbs []string A list of verbs to allow access to. The following verbs are possible: get, patch, post, delete and *. The special list entry * allows access for all verbs. Yes

Note

The following strings can be used in the resources list: cronjobs, daemonsets, deployments, jobs, pods, replicasets, statefulsets, endpoints, horizontalpodautoscalers, ingresses, networkpolicies, services, configmaps, persistentvolumeclaims, persistentvolumes, poddisruptionbudgets, secrets, serviceaccounts, storageclasses, clusterrolebindings, clusterroles, rolebindings, roles, events, nodes, podsecuritypolicies.

The special terms pods/log and pods/exec can be used to allow users to get the logs or a terminal for a Pod. To download / upload a file from / to a Pod a user also needs the pods/exec resource. The pods/log and pods/exec permission can only be set together with the * value for the verbs parameter.

A Custom Resource can be specified in the following form <name>.<group>/<version> (e.g. vaultsecrets.ricoberger.de/v1alpha1).

Notifications

Field Type Description Required
groups []Group A list of notification groups, which should be used for this user. No

Groups

Field Type Description Required
title string The title for the notification group. Yes
plugin Plugin The plugin configuration for the notification group. Yes

Example

In the CR defines that the user with the email rico@kobs.io can view all applications and teams. He can also view the Helm charts in the bookinfo and kobs namespace and can use the Opsgenie plugin. Besides that he can also list, edit and delete all resources in the bookinfo and kobs namespace.

---
apiVersion: kobs.io/v1
kind: User
metadata:
  name: ricoberger
  namespace: kobs
spec:
  email: rico@kobs.io
  permissions:
    applications:
      - type: all
    teams:
      - "*"
    plugins:
      - satellite: "*"
        name: helm
        type: helm
        permissions:
          - clusters:
              - "*"
            namespaces:
              - "bookinfo"
              - "kobs"
            names:
              - "*"
      - satellite: "*"
        name: opsgenie
        type: opsgenie
        permissions:
          - acknowledgeAlert
          - snoozeAlert
          - closeAlert
    resources:
      - satellites:
          - "*"
        clusters:
          - "*"
        namespaces:
          - "bookinfo"
          - "kobs"
        resources:
          - "*"
        verbs:
          - "*"