Skip to main content
Version: 1.6

Managing User Access

This topic applies to both Wayfinder admins and workspace admins. The difference between the two is:

  • Wayfinder admins manage user access globally for all workspaces.
  • Workspace admins manage user access in their workspace only.

Understanding roles and access policies​

A role is a generic set of permissions against Kubernetes resources, for example, clusters. When an access policy is applied to a role, those generic permissions are constrained to specific resources and conditions.

For example, the cluster.admin role has generic permissions to let users do many operations on a cluster. The access policy associated with this role determines:

  • Which user groups (for example workspace admin or member) can assume this role
  • Which cluster(s) the role applies to
  • What times of day and days of the week the role can be assumed
  • What source networks the user can come from to assume the role
  • How long the user can assume this role before it expires

So whether a specific user can assume this role for a specific cluster depends on the access policy.

User groups are a way to include multiple users within an access policy. For example, if you put users in the workspace admin group, they will all be subject to a policy that refers to the admin group. For details, see:

Manage user roles​

About global and workspace roles​

There are two kinds of roles:

  • Global roles—Wayfinder comes with default global roles, and a Wayfinder admin can create more global roles.

    • Global roles are at the platform level and available as read-only in all workspaces—they cannot be edited, disabled, or deleted at the workspace level.
    • Wayfinder admins can disable or delete any role they create.
    • Wayfinder admins cannot delete Wayfinder's default roles, but can disable them.
  • Workspace roles—All global roles are available in workspaces as read-only. Workspace admins can also create their own roles, specific to their workspace only.

See Default roles for a list of roles that come with Wayfinder.

View roles, permissions, and access policies​

You can see what roles are available, along with their permissions and associated access policies.

To view available roles and details:

  1. In the UI, navigate to User access > Roles.

    The list of available roles is displayed. Use the filters at the top to narrow down your list.

  2. Click the name of a role, or expand it, to see what Permissions the role provides.

    Role permissions table

  3. Click the Access policies tab to see the associated policies.

    Click the name of an access policy to see its details. See also View access policies.

CLI: wf get role

Create a role​

In addition to Wayfinder's default roles, you can create new ones to suit your needs. You might want a new role, for example, if you need a special permission not covered by the default roles.

Roles created by the Wayfinder admin are global and available to all workspaces. Roles created at a workspace level apply only to that workspace.

To create a new role:

  1. In the UI, navigate to User access > Roles, and then click Create role.

  2. Enter a name and description for the role, and then in the fields provided select the:

    • Group of Kubernetes APIs this role can access—you can select multiple groups. To add a custom API group, click the + (plus sign) and enter the name of the group.
    • Resources the role can access—you can select multiple resources
    • Verbs the role can execute on these resources—you can select multiple verbs

    Create role dialog

  3. Click Next to see a preview of the permissions in your new role, and then click Save.

    Alternatively, you can click Back to continue editing and then repeat this step to save your role.

  4. If you need a new policy to control access for this role, see Create access policies below.

YAML Example: For a detailed example of creating a role, and policy to go with it, using YAML and the CLI, see Creating New Roles and Policies.

Edit a role​

You can only edit a role you have created. The default roles that come with Wayfinder cannot be edited.

When you edit a role, it is updated for anyone who assumes the role after your edits. But current live sessions using this role are not affected.

To edit a role:

  1. In the UI, navigate to User access > Roles.

  2. Find and expand the role you want to edit, and then click the Actions tab.

  3. Click the Edit button, and then in the fields provided select the:

    • Group of Kubernetes APIs this role can access—you can select multiple groups. To add a custom API group, click the + (plus sign) and enter the name of the group.
    • Resources the role can access—you can select multiple resources
    • Verbs the role can execute on these resources—you can select multiple verbs

    Edit role dialog

  4. Click Next to see a preview of the permissions from your edits, and then click Save.

    Alternatively, you can click Back to continue editing and then repeat this step to save your edits.

Get the YAML code for a role​

To view and copy the YAML for a role:

  1. In the UI, navigate to User access > Roles.
  2. Find and expand the role you want, and then click the Actions tab.
  3. Click View YAML, and then Copy to clipboard.

CLI: wf get role ROLE-NAME -o yaml

Enable or disable a role​

The Wayfinder and workspace admins have these permissions to disable/enable roles:

  • Wayfinder admins: Can enable/disable any role (default or custom), whether it's global or specific to a workspace
  • Workspace admins: Can enable/disable only roles they create for their workspaces
warning

Disabling a global role deletes it in workspaces.

To enable/disable a Wayfinder default role:

  1. Use one of these CLI commands to enable or disable the role.

    • If it's in a workspace:
      wf [enable | disable] accessrole ROLENAME

    • If it's a global policy:
      wf [enable | disable] globalaccessrole ROLENAME

Delete a role​

You can delete any role you created. However, Wayfinder default roles cannot be deleted. Instead the Wayfinder admin can disable default roles if necessary.

To delete a role you created:

  1. In the UI, navigate to User access > Roles.
  2. Find and expand the role you want, and then click the Actions tab.
  3. Click the Delete button, and then confirm you want to delete the role.

CLI: wf delete role ROLENAME

Manage access policies​

About global and workspace policies​

There are two kinds of access policies:

  • Global access policies—Wayfinder comes with default global access policies, and a Wayfinder admin can create more global policies.

    • Global policies are at the platform level and available as read-only in all workspaces. These cannot be edited, disabled, or deleted at the workspace level.
    • Wayfinder admins can disable or delete any policy they create.
    • Wayfinder admins cannot delete default policies, but can disable them.
  • Workspace access policies—All global access policies are available in workspaces as read-only. Workspace admins can also create their own access policies, specific to their workspace only.

View access policies​

To view access policies:

  1. In the UI, navigate to User access > Access policies.

    The list of available policies is displayed. Use the filters at the top to narrow down your list.

  2. Expand a policy to see who, what, and when the policy applies to.

CLI:
wf get accesspolicy
wf get globalaccesspolicy

Create access policies​

You may need to create a new policy, for example, if the precise access conditions are not included in the default policies, or if you create a new role that requires a new access policy. You can create access policies to:

  • Permit human users to assume a role for a limited duration
  • Permit human users to assign a role to a robot permanently

To create an access policy:

  1. In the UI, navigate to User access > Access policies.

  2. Click Create policy.

    This dialog is displayed (partially shown below):

    Create policy dialog

  3. Enter a name and description of the policy, and the Roles, user Groups, and Workspaces (if you're a Wayfinder Admin) the policy applies to.

    • Groups indicates the user group(s) who can assume the selected role(s) for a limited time, or who can assign the selected role(s) to a robot permanently.
    • Workspaces is shown only for Wayfinder Admins (in Wayfinder settings).
  4. Set these policy constraints as needed in the fields provided:

    note

    If this is a robot access policy, the constraints apply to creating the robot, not the robot itself.

    • Max expiration—the maximum length of a session that a human user can assume the specified roles. Does not apply to robot roles, which are permanent.
    • Clusters—which clusters can be accessed. Click Advanced mode to match cluster labels.
    • Namespaces—which namespaces can be accessed
    • Source Networks—which source networks can be used to access the specified roles, or to create a robot with those roles
    • Days of week—allowed days to assume the specified roles, or to create a robot with those roles
    • Time of day—allowed time of day to assume the specified roles, or to create a robot with those roles
  5. Click Save.

For a detailed example of creating a role and policy to go with it (using YAML and the CLI), see Creating New Roles and Policies.

Edit access policies​

When you edit a policy, it is updated for anyone who assumes the associated role(s) after your edits. But current live sessions using the role(s) are not affected.

To edit an access policy:

  1. In the UI, navigate to User access > Access policies.
  2. Find and expand the policy you want to edit, and then click the Actions tab.
  3. Click the Edit button, and then edit the policy as needed (see the Policy constraints described above).
  4. Click Save.

Get the YAML code for a policy​

For more information, see Creating Roles and Policies using YAML.

To get the YAML code for a policy:

  1. In the UI, navigate to User access > Access policies.
  2. Expand the policy you want, click the Actions tab, and then click View YAML.
  3. Click Copy to clipboard to use this YAML code as needed.

CLI:
wf get accesspolicy POLICY-NAME -o yaml (for a workspace policy)
wf get globalaccesspolicy POLICY-NAME -o yaml (for a global policy)

Enable or disable an access policy​

The Wayfinder and workspace admins have these permissions to disable/enable access policies:

  • Wayfinder admins: Can enable/disable any access policy (default or custom), whether it's global or specific to a workspace
  • Workspace admins: Can enable/disable only policies they create for their workspaces
warning

Disabling a global access policy deletes it in workspaces.

To enable/disable a Wayfinder default access policy:

  1. Use one of these CLI commands to enable or disable the policy.

    • If it's in a workspace:
      wf [enable | disable] accesspolicy POLICYNAME

    • If it's a global policy:
      wf [enable | disable] globalaccesspolicy POLICYNAME

Delete a policy​

You can delete any access policies you create. However, Wayfinder default access policies cannot be deleted. Instead, you can disable default policies if necessary.

To delete an access policy you created:

  1. In the UI, navigate to User access > Access policies.
  2. Find and expand the policy you want, and then click the Actions tab.
  3. Click the Delete policy button, and then confirm you want to delete the policy.

CLI:
wf delete accesspolicy POLICY-NAME (for a workspace policy)
wf delete globalaccesspolicy POLICY-NAME (for a global policy)

Getting access​

Wayfinder users get access to roles (and the permissions provided by the roles) in two ways:

  • Human users - Get access to infrastructure via the wf access CLI command. For details, see Human Roles.

  • Robots/service accounts - Get access to infrastructure when you create the robot and and assign it a role. The generated robot token/secrets can be used in your CI pipeline to automate deployments. For details, see Robot Roles.

Revoking access​

Administrators can view and revoke live user access sessions. For details, see Revoking Access.