You can statically assign permissions to robot/service accounts using the
kore assign CLI command. You cannot assign permissions to a human user.
Team administrators can control and constrain which permissions can be assigned to a robot, and who can perform those assignments. For information on how a team administrator configures this, see Control Role Assignment.
All policy assignments are controlled via the
kore assign plan command:
- On issuing the command you are prompted for the role you wish to assign.
- The next phase asks whom you wish to assign the permission to: a specific robot account, all robot accounts, etc.
- If the role you are assigning requires parameters, these are requested.
- Once all the parameters are assembled the request is passed to Kore to verify and, if permitted, assign the permissions.
Example use case: In this example, you need a robot account for CI to build and deploy an application into the namespace.
To do this, you will:
In this example, you create a robot named
To create a robot account, run the following:
Run the following:$ kore create robot app1 --show-config✔ Please provides a description of use for this account: Robot account used to deploy application 1█feature-gates:application_services: truemonitoring_services: falseservices: trueprofiles:default:server: defaultteam: devsuser: defaultservers:default:server: http://localhost:10080users:default:kore-identity:refresh-token: <TOKEN>version: latest
--show-configprovides a convenience method producing a Kore CLI configuration that can be copied as a whole into your chosen CI as a secret, or placed in a local file to test the robot account.
To assign permissions to a robot, you run the
kore assign plan command and select a plan, as shown in the following example:
To assign permissions to the robot account:
kore assign plan, select the plan and the robot, and respond to the prompts for parameters. The parameters depend on the plan selected. Example:$ kore assign plan? Which plan would you like to use?clusters.defaultskore.build▸ kore.deploymentmember.defaultsrobot.defaultsrobots.networkkore.system.org.clusters.readonlykore.system.org.readonlykore.system.org.teams.readonlykore.system.team.managementName:kore.deploymentOwner:devsProvides a deployment permission set which can be used by robotaccounts to deploy their applications in a namespace.Note the policy is intentionally locked down per namespace, percluster to ensure use of a different token per application.
In this example, you selected the
kore.deploymentplan, and the robot account
app1to assign the permissions to. Two parameters are required for this plan, the
namespace. Example response:$ kore assign plan✔ You have choosen the plan: "kore.deployment"✔ Policy will apply to robot: app1✔ This plan has a number of 2 parameters associated◉ The plan has a required value: "cluster" (single)✔ You have selected eks-dev as the cluster:◉ The plan has a required value: "namespace" (single)✔ You have selected test as the namespace:Plan has been successfully assigned to subject/s
At this point the permission are assigned to the robot account.
To verify the policy assigned to this robot, run either of the following commands:
kore get policy --robot ROBOT-NAME(mini view)
kore get policy --robot app1 --all(detailed view)
Example:$ kore get policy --robot app1NAME COMPLIANCE PLAN ENABLED STATUS AGEkore.deployment-assign-d5q7x none kore.deployment true Success 11m# See all policies attached, including policies generated by the application of the plan, using# --all:$ kore get policy --robot app1 --allNAME COMPLIANCE PLAN ENABLED STATUS AGEkore.deployment-api-p2bbg default - true Success 12mkore.deployment-assign-d5q7x none kore.deployment true Success 12mkore.deployment-clusterwide-ps86l default - true Success 12mkore.deployment-namespace-7g95c default - true Success 12m
The mini view provides just the assignment: The policy
kore.deployment-assign-d5q7xreferences the plan
kore.deployment. The detailed view shows how these parameters explode out into three separate policies targeting the Kore API, the selected cluster, and the selected namespace.
To assign container build permissions to the robot:
kore assign planas in Assign permissions above. This time, select the
kore.buildplan. Provide the robot account (
app1in this example) and the build you want to kick off.
Verify the policy assigned. Example:$ kore get policy --robot app1NAME COMPLIANCE PLAN ENABLED STATUS AGEkore.build-assign-4m9zh none kore.build true Success 3skore.deployment-assign-d5q7x none kore.deployment true Success 65m
You can easily test the assignment has been successful by using the robot account itself.
To test that the assignment works:
kore create robot app1 --show-configand place the output into a file, for example,
Using the Kore CLI, use the output file above in the
KORE_CONFIGenvironment variable, as shown in this example:$ KORE_CONFIG=./config kore whoamiUSERNAME EMAIL TEAMS AUTHENTICATIONsystem:serviceaccount:kore:devs:app1 system:serviceaccount:kore:devs:firstname.lastname@example.org None jwt$ KORE_CONFIG=./config kore run build <mybuild>$ KORE_CONFIG=./config kore kubeconfig
The Kore CLI defaults to
$HOME/.kore/config. Here we are overriding that by using
KORE_CONFIGto set a configuration location for a single command.
In you can't find a role with the required permissions, contact the team administrator. They will have to create a plan permitting the functionality, and assign you the permission to use it. You can understand more about that process in Control Role Assignment.