Default Groups, Roles, and Policies

This topic lists the default global user groups, roles, and access policies that come out of the box with Wayfinder. Whenever a workspace is created, these will automatically be inherited by that workspace. You can create additional groups, roles, and access policies to meet your needs. To understand these concepts, and get details on creating your own RBAC resources see:

• Understanding roles and access policies
• Create custom RBAC roles
• Create custom RBAC access policies
• Create custom workspace groups
• Understand the difference between workspace groups and wayfinder groups

Default groups

This table lists each default group's permissions on the resources shown in each column. For more information, see the group descriptions below.

Workspace Group	Non-Prod Namespaces	Non-Prod Clusters	Prod Namespaces	Prod Clusters
owner (Workspace owner)	Full CRUD (access to namespace quotas and limits is blocked in tenant namespaces)	Full CRUD	Full CRUD	Full CRUD
member (Workspace member)	Full CRUD minus secrets GET	Full CRUD minus secrets GET
editor	Full CRUD minus secrets GET	Full CRUD minus secrets GET	Read-only minus secrets GET	Read-only minus secrets GET
viewer	Read-only minus secrets GET	Read-only minus secrets GET	Read-only minus secrets GET	Read-only minus secrets GET
secretsviewer-prod			Secrets GET
secretsviewer-nonprod	Secrets GET
troubleshooting (Exec into and view logs for containers)	Exec		Exec

Group descriptions

• owner

  Users in the owner group own their workspace in Wayfinder. They are able to manage groups, access policies and roles within the workspace. They can also add other users to groups.

  This is a Wayfinder defined group that governs what members can do within Wayfinder (not the infrastructure Wayfinder manages). To provide access to Wayfinder managed infrastructure, add users to an appropriate group.

  This group’s permissions cannot be changed by users through access policies or roles.

• member

  Users in the member group have read-only access to their workspace (users, groups, roles, etc). They do not have the ability to change groups, roles or access policies.

  This is a Wayfinder defined group that governs what members can do within Wayfinder (not the infrastructure Wayfinder manages). To provide access to Wayfinder managed infrastructure, add users to an appropriate group.

  This group’s permissions cannot be changed by users through access policies or roles.

• editor

  Users in this group have super-user access to namespaces in Non-Production, and read-only access to clusters. In Production they only have read-only access to namespaces and clusters. However, this role does not allow viewing secrets, since reading the contents of secrets enables access to ServiceAccount credentials in the namespace. That access resides separately in the secretsviewer group. For multi-tenanted namespaces, users are not allowed to change namespace quotas and limits on clusters owned by other workspaces.

• viewer

  Users in this group have read-only access to both Production and Non-Production clusters and namespaces. However, this role does not allow viewing secrets, since reading the contents of secrets enables access to ServiceAccount credentials in the namespace. That access resides separately in the secretsviewer group.

• secretsviewer-prod

  Users in this group have access to see secrets, and other sensitive Kubernetes configuration data in Production.

• secretsviewer-nonprod

  Users in this group have access to see secrets, and other sensitive Kubernetes configuration data in Non-Production.

• troubleshooting

  Users in this group can exec into containers to view logs and diagnose issues. It should only be assigned temporarily.

Default roles

Default global roles are available to all workspaces, and are read-only in workspaces. Wayfinder admins can disable default global roles.

This table lists Wayfinder's default roles.

Role	Description
cluster.admin	Standard Kubernetes cluster-admin role
cluster.view	Standard Kubernetes view role
namespace.admin	Standard Kubernetes admin role minus secrets GET
namespace.edit	Standard Kubernetes edit role
namespace.view	Standard Kubernetesview role restricted to namespace level resources only
namespace.troubleshooting	Exec into and view logs for containers
secrets.view	Get secrets (and anything else related)

Default access policies

Default global access policies are available to all workspaces, and are read-only in workspaces. Wayfinder admins can disable default global policies.

This table lists Wayfinder's default global access policies and the user groups, roles, and stage they apply to.

Policy	Description	Groups	Roles	Stage
admin.prod	Allows the admin group to have full admin access to clusters in Production	owner	cluster.admin	production
admin.nonprod	Allows the admin group to have full admin access to clusters in Non-Production	owner	cluster.admin	non-production
editor.prod	Allows editors to view clusters in Production	editor	cluster.view, namespace.view	production
editor.nonprod	Allows editors to have full admin access to namespace in Non-Production, and to view clusters in both Production and Non-Production	editor member	namespace.edit, cluster.view	non-production
viewer.prod	Allows the viewer group to have read-only access to clusters and namespaces in both Production and Non-Production	viewer	namespace.view, cluster.view	non-production
viewer.nonprod	Allows the viewer group to have read-only access to clusters and namespaces in Non-Production	viewer member	namespace.view, cluster.view	non-production
secretsviewer.prod	Allows the secrets-viewer-production group to have read-only access to secrets in Production	secretsviewer-prod	secrets.view	production
secretsviewer.nonprod	Allows the secretsviewer-nonprod group to have read-only access to secrets in Non-Production	secretsviewer-nonprod	secrets.view	non-production
support	Allows the troubleshooting group to Exec into and view logs for containers in Non-Production clusters only	troubleshooting	namespace.troubleshooting	non-production