Skip to main content

About Role Based Access Control (RBAC)

The RBAC concepts described here explain how to control access to Kubernetes clusters managed by Wayfinder. To understand how to control access to Wayfinder itself, see the User Access Privileges section of the documentation.


This table describes the RBAC terms and Wayfinder concepts that work together to control user access.

TermDescription
PermissionThe ability to create, modify, delete, or perform other operations on a resource (such as a cluster, namespace, ingress, etc.)
RoleA group of generic permissions that can be granted to a subject (human or access token) to perform actions in a Kubernetes cluster managed by Wayfinder. For example, a member of the workspace 'editor' group can use the cluster.view role to view resources in that workspace's clusters. Human subjects can assume roles for a limited time. Access tokens are assigned roles permanently.
Access policyWhile a role provides generic permissions, an access policy permits usage of those permissions on specific resources subject to certain conditions. Access policies are a set of rules about what roles a specific human user can use (or assign to access tokens) with specific infrastructure. For example, namespace.deployment permits deployment to a specific namespace of a cluster. If an access policy with subject type 'User' permits a user to use this role with a specific cluster, they can use wf access cluster to gain temporary access to that role. If an access policy with subject type 'AccessToken' permits a user to assign this role to an access token for a certain cluster, they can assign namespace.deployment role to a token such that the token will be able to perform deployments to a namespace.
GroupsA group of users. Groups facilitate creating and adjusting roles and policies for a group of users who share the same set of permissions.
Live sessionsWayfinder shows you who currently has access to resources. This lets you revoke those sessions if needed.
WorkspacesA way of putting related users, teams, projects, etc., and their associated infrastructure together in once space. All user access permissions are bound to the scope of a workspace. So, the roles and access policies in a workspace are limited to accessing the infrastructure in that workspace.
[Stages]/wayfinder/admin/stages/stages-overviewUsed to separarate production environments from non-production, and any other stage you optionally define. Access policies are scoped to a specific stage by default.

Wayfinder's user access model

Wayfinder leverages the same mechanics and best practice employed within cloud vendors.

  • All user access is driven by accessing a role on a specific resource such as a cluster or namespace. This access can be by humans or access tokens. Human users never have permanent access to anything. Instead, they are given a limited subset of permissions. When they need additional permissions, they are prompted to assume or escalate their permissions via a Role. Access Tokens can be assigned permanent access.
  • All sessions (for human users) have a natural expiration time, so nothing needs to be invalidated.
  • All credentials are rotated on a configurable period.
  • When escalating permissions users are filtered through a series of policies that govern the how, when, what and why a user can assume the role.

For more information, see Understanding roles and policies.

More information

For more information, see: