Version: 0.7

Assign a Role

You can statically assign permissions to robot/service accounts using the kore assign CLI command. You cannot assign permissions to a human user.

Team administrators can control and constrain which permissions can be assigned to a robot, and who can perform those assignments. For information on how a team administrator configures this, see Control Role Assignment.

All policy assignments are controlled via the kore assign plan command:

  • On issuing the command you are prompted for the role you wish to assign.
  • The next phase asks whom you wish to assign the permission to: a specific robot account, all robot accounts, etc.
  • If the role you are assigning requires parameters, these are requested.
  • Once all the parameters are assembled the request is passed to Kore to verify and, if permitted, assign the permissions.

Assign a role#

Example use case: In this example, you need a robot account for CI to build and deploy an application into the namespace.

To do this, you will:

  1. Create a robot account.
  2. Assign permissions to the robot account.

Create a robot account#

In this example, you create a robot named app1.

To create a robot account, run the following:

  1. Run the following:

    $ kore create robot app1 --show-config
    โœ” Please provides a description of use for this account: Robot account used to deploy application 1โ–ˆ
    feature-gates:
    application_services: true
    monitoring_services: false
    services: true
    profiles:
    default:
    server: default
    team: devs
    user: default
    servers:
    default:
    server: http://localhost:10080
    users:
    default:
    kore-identity:
    refresh-token: <TOKEN>
    version: latest
    note

    --show-config provides a convenience method producing a Kore CLI configuration that can be copied as a whole into your chosen CI as a secret, or placed in a local file to test the robot account.

Assign permissions to the robot account#

To assign permissions to a robot, you run the kore assign plan command and select a plan, as shown in the following example:

To assign permissions to the robot account:

  1. Run kore assign plan, select the plan and the robot, and respond to the prompts for parameters. The parameters depend on the plan selected. Example:

    $ kore assign plan
    ? Which plan would you like to use?
    clusters.defaults
    kore.build
    โ–ธ kore.deployment
    member.defaults
    robot.defaults
    robots.network
    kore.system.org.clusters.readonly
    kore.system.org.readonly
    kore.system.org.teams.readonly
    kore.system.team.management
    Name:kore.deployment
    Owner:devs
    Provides a deployment permission set which can be used by robot
    accounts to deploy their applications in a namespace.
    Note the policy is intentionally locked down per namespace, per
    cluster to ensure use of a different token per application.

    In this example, you selected the kore.deployment plan, and the robot account app1 to assign the permissions to. Two parameters are required for this plan, the cluster and namespace. Example response:

    $ kore assign plan
    โœ” You have choosen the plan: "kore.deployment"
    โœ” Policy will apply to robot: app1
    โœ” This plan has a number of 2 parameters associated
    โ—‰ The plan has a required value: "cluster" (single)
    โœ” You have selected eks-dev as the cluster:
    โ—‰ The plan has a required value: "namespace" (single)
    โœ” You have selected test as the namespace:
    Plan has been successfully assigned to subject/s

    At this point the permission are assigned to the robot account.

  2. To verify the policy assigned to this robot, run either of the following commands:

    kore get policy --robot ROBOT-NAME (mini view)

    kore get policy --robot app1 --all (detailed view)

    Example:

    $ kore get policy --robot app1
    NAME COMPLIANCE PLAN ENABLED STATUS AGE
    kore.deployment-assign-d5q7x none kore.deployment true Success 11m
    # See all policies attached, including policies generated by the application of the plan, using
    # --all:
    $ kore get policy --robot app1 --all
    NAME COMPLIANCE PLAN ENABLED STATUS AGE
    kore.deployment-api-p2bbg default - true Success 12m
    kore.deployment-assign-d5q7x none kore.deployment true Success 12m
    kore.deployment-clusterwide-ps86l default - true Success 12m
    kore.deployment-namespace-7g95c default - true Success 12m
    note

    The mini view provides just the assignment: The policy kore.deployment-assign-d5q7x references the plan kore.deployment. The detailed view shows how these parameters explode out into three separate policies targeting the Kore API, the selected cluster, and the selected namespace.

Assign container build permissions to the robot#

To assign container build permissions to the robot:

  1. Run kore assign plan as in Assign permissions above. This time, select the kore.build plan. Provide the robot account (app1 in this example) and the build you want to kick off.

  2. Verify the policy assigned. Example:

    $ kore get policy --robot app1
    NAME COMPLIANCE PLAN ENABLED STATUS AGE
    kore.build-assign-4m9zh none kore.build true Success 3s
    kore.deployment-assign-d5q7x none kore.deployment true Success 65m

Test that the build permissions assignment works#

You can easily test the assignment has been successful by using the robot account itself.

To test that the assignment works:

  1. Run kore create robot app1 --show-config and place the output into a file, for example, ./config.

  2. Using the Kore CLI, use the output file above in the KORE_CONFIG environment variable, as shown in this example:

    $ KORE_CONFIG=./config kore whoami
    USERNAME EMAIL TEAMS AUTHENTICATION
    system:serviceaccount:kore:devs:app1 system:serviceaccount:kore:devs:app1@kore.serviceaccount.local None jwt
    $ KORE_CONFIG=./config kore run build <mybuild>
    $ KORE_CONFIG=./config kore kubeconfig
    note

    The Kore CLI defaults to $HOME/.kore/config. Here we are overriding that by using KORE_CONFIG to set a configuration location for a single command.

What if I can't find the right policy plan (role)?#

In you can't find a role with the required permissions, contact the team administrator. They will have to create a plan permitting the functionality, and assign you the permission to use it. You can understand more about that process in Control Role Assignment.