Skip to main content
Version: 1.5

About Role Based Access Control (RBAC)

Wayfinder provides a detailed, highly configurable, policy-based engine to permit access to itself and to the infrastructure it manages. It ships with a default Compliance Package constraining what all workspaces can do, and workspace administrators can create appropriate policies for their workspace members and robots.

The RBAC capabilities provided by Wayfinder are described in detail in the Access and Policy section, where you can understand how workspace members and workspace administrators can use and control permissions against Wayfinder and the clusters it manages.

Additional compliance packages and the application of custom Wayfinder-wide compliance packages will be available in future releases of Wayfinder.

RBAC terminology​

PermissionThe ability to create, modify, delete, or perform other operations on a resource (such as a cluster, namespace, ingress, etc.)
RoleA group of permissions that can be granted to a subject (human or robot). For example, a Workspace Admin has permissions to create and delete clusters, create namespaces, etc. Roles provide a set of templates for permissions that can be assumed by, or assigned to, subjects. Human subjects can assume roles. Robots are assigned roles. Roles are often bundled in a compliance package. (Note that a role is different from a workspace role like member or admin.)
Policy planA template for a set of policies, some of which are usable as roles. Run wf get compliance to list policy plans and policies in your compliance package.
PolicyA set of rules about what a specific subject (human or robot) can do. They prescribe the optional conditions or rules under which a role can be used, and for which resources. For example, the Wayfinder deployment role is assigned to robot A. Then a policy is assigned to robot A, using the Wayfinder deployment role, which permits the robot to deploy to a specific cluster and namespace, and only during working hours. Another example of a policy is one that defines who can assume or assign a role, and under what conditions.
Compliance packageA collection of roles and policies. In Wayfinder, compliance packages are associated with a development stage. The development stage is chosen when creating a cluster. For example, when a Workspace Admin creates a cluster and chooses whether it’s for production or non-production, the appropriate compliance package is automatically applied.