Version: 0.7

Control Role Assignment

By default, Kore does not assign static permissions to robots/service accounts on creation. Assignment Policies provide a mechanism for team members to assign static permissions to a robot account, as described in Assign a Role. You cannot assign a role to human users—they must use kore assume instead.

In order for team members to use kore assign, as a team administrator, you must create an assignment policy allowing permissions to be assigned to one or more robot accounts.

We do not recommend allowing kore assign to assign permissions permanently to a human user of Kore.

warning

Allowing a user to assign a policy plan can allow the user themself to have access to the rights granted by the policy, if they created the robot account themself and therefore have the robot's token.

If you are allowing assignment of permissions that the user themself should not have, use policy plans that restrict the permissions to be only accessible from certain IP ranges, such as those for your CI system. This prevents a user from using the robot account from unknown locations.

Create an assignment policy#

To create an assignment policy:

  1. Run the command: kore create policy assignment command.

  2. Follow the prompts to answer questions that will create the policy:

    • Whom are you allowing to assign this policy: one or more team members, a role, etc.
    • To what are they permitted to assign the role. In nearly all cases this is a robot account. You can restrict to a specific robot account if needed.

    In the following example, you are creating an assignment policy for the role kore.deployment.

    $ kore create policy assignment --plan kore.deployment
    ✔ Creating assignment policy on plan: kore.deployment
    ? Who should be able to apply this plan
    ▸ Team Member - allows you to limit the scope by the team member
    All Subjects - allows you to scope to all subjects
    Robot Account - allows you to limit the scope by as specific robot account
    All Robots - scopes the permission to all robot accounts in kore
    Subject Scope - limits the by the scope of the token (user, robot)
    Team Role - limits the scope by team role membership of the user
    ↷ Next

    Once you provide all the parameters, the policy is submitted and applied.

  3. To view all the policies, run kore get policy.

Add more policy plans#

You can see the permissions granted by a role (policy plan) by running the command:

kore get policyplan ROLE-NAME -o yaml

Let's say you run this command for the kore.deployment role, and you don't find the permissions you require. In that case, you can create and apply a new role that grants the permissions you need. You can then create an assignment policy that constrains the assignment of that role.

Example use case#

A developer needs access to additional permissions not covered in the kore.deployment plan. While the permissions granted cover the majority of those required to deploy, this developer is a using a mongodb operator that requires access to additional API groups in kubernetes. You want to grant the required permissions by:

  • Creating a new policy plan (role) for the new permissions
  • Creating an assignment policy that allows members to assign the plan to robot accounts

To add the new role and create an assignment policy:

  1. Create a new policy plan (role) named mongodb-io using a custom resource, as shown in this .yaml file:

    apiVersion: policy.kore.appvia.io/v1alpha1
    kind: PolicyPlan
    metadata:
    name: mongodb-io
    spec:
    description: |
    Provides the ability to deploy and managed a mongodb cluster via
    the very special operator.
    selectors:
    - resource:
    groups:
    - mongodb.io
    resources:
    - instances
    - clusters
    verbs:
    - "*"
    policy:
    decision:
    action: allow
    message: Allows access to mongodb operator apigroups
  2. To apply the new policy plan, run: kore apply -f PATH-TO-FILE.yaml

  3. Create an assignment policy, permitting team members to assign the role to the robot accounts:

    kore create policy assignment --plan mongodb-io