The following sections describe the Kubernetes ClusterRoles that are created by Kf and lists the permissions that are contained in each ClusterRole.
Space developer role
The Space developer role aggregates permissions application developers use to deploy and manage applications within a Kf Space.
You can retrieve the permissions granted to Space developers on your cluster using the following command.
kubectl describe clusterrole space-developerThe default installation of Kf provides the following permissions:
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
events [] [] [*]
secrets [] [] [*]
*.kf.dev [] [] [*]
networkpolicies.networking.k8s.io [] [] [*]
pods/exec [] [] [create]
*.upload.kf.dev [] [] [create]
pods/log [] [] [get list watch]
pods [] [] [get list watch]
rolebindings.rbac.authorization.k8s.io [] [] [get list watch]
Space auditor role
The Space auditor role aggregates read-only permissions that auditors and automated tools use to validate applications within a Kf Space.
You can retrieve the permissions granted to Space auditors on your cluster using the following command.
kubectl describe clusterrole space-auditorThe default installation of Kf provides the following permissions:
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
events [] [] [*]
apps.kf.dev [] [] [get list watch]
rolebindings.rbac.authorization.k8s.io [] [] [get list watch]
Space manager role
The Space manager role aggregates permissions that allow delegation of duties to others within a Kf Space.
You can retrieve the permissions granted to Space managers on your cluster using the following command.
kubectl describe clusterrole space-managerThe default installation of Kf provides the following permissions:
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
clusterroles.rbac.authorization.k8s.io [] [space-auditor] [bind]
clusterroles.rbac.authorization.k8s.io [] [space-developer] [bind]
clusterroles.rbac.authorization.k8s.io [] [space-manager] [bind]
rolebindings.rbac.authorization.k8s.io [] [] [get list update patch watch]
apps.kf.dev [] [] [get list watch]
Dynamic Space manager role
Each Kf Space creates a ClusterRole with the name
SPACE_NAME-manager, where
SPACE_NAME-manager is called the dynamic manager role.
Kf
automatically grants all subjects with the space-manager role within the
Space the dynamic manager role at the cluster scope. The permissions for the
dynamic manager role allow Space managers to update settings on the Space with
the given name.
You can retrieve the permissions granted to the dynamic manager role for any Space on your cluster using the following command.
kubectl describe clusterrole SPACE_NAME-managerThe default installation of Kf provides the following permissions:
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
spaces.kf.dev [] [SPACE_NAME] [get list watch update patch]
Kf cluster reader role
Kf automatically grants the kf-cluster-reader role to all users on a
cluster that already have the space-developer, space-auditor, or space-manager
role within a Space.
You can retrieve the permissions granted to Space Kf cluster readers on your cluster using the following command.
kubectl describe clusterrole kf-cluster-readerThe default installation of Kf provides the following permissions:
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
namespaces [] [kf] [get list watch]
clusterservicebrokers.kf.dev [] [] [get list watch]
spaces.kf.dev [] [] [get list watch]