By default, Kore does not assign static permissions to robots/service accounts on creation.
Assignment Policies provide a mechanism for team members to assign static permissions to a robot account, as
described in Assign a Role. You cannot assign a role to human users—they must use
kore assume instead.
In order for team members to use
kore assign, as a team administrator, you must create an
assignment policy allowing permissions to be assigned to one or more robot accounts.
We do not recommend allowing
kore assign to assign permissions permanently to a human user of
Allowing a user to assign a policy plan can allow the user themself to have access to the rights granted by the policy, if they created the robot account themself and therefore have the robot's token.
If you are allowing assignment of permissions that the user themself should not have, use policy plans that restrict the permissions to be only accessible from certain IP ranges, such as those for your CI system. This prevents a user from using the robot account from unknown locations.
To create an assignment policy:
Run the command:
kore create policy assignmentcommand.
Follow the prompts to answer questions that will create the policy:
- Whom are you allowing to assign this policy: one or more team members, a role, etc.
- To what are they permitted to assign the role. In nearly all cases this is a robot account. You can restrict to a specific robot account if needed.
In the following example, you are creating an assignment policy for the role
kore.deployment.$ kore create policy assignment --plan kore.deployment✔ Creating assignment policy on plan: kore.deployment? Who should be able to apply this plan▸ Team Member - allows you to limit the scope by the team memberAll Subjects - allows you to scope to all subjectsRobot Account - allows you to limit the scope by as specific robot accountAll Robots - scopes the permission to all robot accounts in koreSubject Scope - limits the by the scope of the token (user, robot)Team Role - limits the scope by team role membership of the user↷ Next
Once you provide all the parameters, the policy is submitted and applied.
To view all the policies, run
kore get policy.
You can see the permissions granted by a role (policy plan) by running the command:
kore get policyplan ROLE-NAME -o yaml
Let's say you run this command for the
kore.deployment role, and you don't find the permissions you require. In that case, you can create and apply a new role that grants the permissions you need. You can then create an assignment policy that constrains the assignment of that role.
A developer needs access to additional permissions not covered in the
kore.deployment plan. While the permissions
granted cover the majority of those required to deploy, this developer is a using a mongodb operator
that requires access to additional API groups in kubernetes. You want to grant the required permissions by:
- Creating a new policy plan (role) for the new permissions
- Creating an assignment policy that allows members to assign the plan to robot accounts
To add the new role and create an assignment policy:
Create a new policy plan (role) named
mongodb-iousing a custom resource, as shown in this
.yamlfile:apiVersion: policy.kore.appvia.io/v1alpha1kind: PolicyPlanmetadata:name: mongodb-iospec:description: |Provides the ability to deploy and managed a mongodb cluster viathe very special operator.selectors:- resource:groups:- mongodb.ioresources:- instances- clustersverbs:- "*"policy:decision:action: allowmessage: Allows access to mongodb operator apigroups
To apply the new policy plan, run:
kore apply -f PATH-TO-FILE.yaml
Create an assignment policy, permitting team members to assign the role to the robot accounts:
kore create policy assignment --plan mongodb-io