Overview of Cluster Access Policies

introduction to cluster access policies

What are cluster access policies?

A cluster access policy grants users the right to gain short-lived access to a cluster themselves, or to assign permanent access to an access token.

When should I create custom cluster access policies?

You can create custom access policies when Wayfinder's default access policies do not meet your specific needs.

How do cluster access policies fit in with the rest of Wayfinder?

Cluster access policies are an essential part of Wayfinder's security and access management framework, governing how users and access tokens interact with Wayfinder-managed clusters across all operations.

While they are not part of the self-service cluster provisioning process itself, they control what users can do within it. These policies ensure that access privileges are properly managed, determining who can access clusters, what actions they can perform, and under what conditions.

Use the diagram below to explore each step of the self-service cluster provisioning process.

Self-Service Cluster Creation Process

Administrators, workspace owners, or members initiate the self-service cluster creation process by specifying the cluster's provisioning specifications. These specifications can be used to provision the cluster directly via Wayfinder's CLI or User Interface, or indirectly through your CI pipeline.

Creating a Self-Service Cluster Provisioning Specification

Creating a cluster provisioning specification involves:

• Specifying a Cloud Access: This specification enables Wayfinder to access the cloud provider with the necessary permissions to manage and provision clusters.
• Specifying a Cluster Plan: A cluster plan includes:
  • Cluster Network Plan: Outlines the network specification for cluster provisioning.
  • Wayfinder Packages (Optional): Outlines the specification for each software/service that you want to use for bootstrapping the cluster during provisioning.
• Compute Templates (Optional): Pre-defined specifications for various compute instance (node pool) configurations, such as high-performance or low-cost options, to accelerate cluster creation in workspaces.
• Provisioning Policies: Enforces limits on self-service clusters such as cost restrictions, regions or permitted instance types.

Configuring Additional Policies

Cluster Access Policies and Cluster Policies are key to managing security, compliance, and access control within Wayfinder-managed clusters. Although these policies are not part of the self-service provisioning process itself, they are fully visible and configurable by administrators, enabling tailored management of permissions and governance as part of your overall cluster management strategy.

• Cluster Policies (Optional): Uses Kyverno to define and enforce security and compliance rules for cluster management and control.
• Cluster Access Policies: Grants users the right to gain short-lived access to a cluster themselves, or to assign permanent access to an access token.

This section focuses on configuring and managing Cluster Access Policies.

What comes next?

• Cluster Access Policy evaluation

Related Reading

• Read about user's access to clusters
• Read about access to Wayfinder itself
• About global and workspace policies
• View access policies
• Create access policies
• Update access policies
• Enable or disable an access policy
• Delete a policy