Skip to main content
Version: 1.3

Creating Assignment Policies

By default, Wayfinder does not assign static permissions to robots/service accounts when they are created. Instead, users must explicitly assign roles to robots. Assignment Policies put constraints on how users are permitted to assign static permissions to a robot. For more information, see Assigning Roles.

As a workspace administrator, you can use Wayfinder's default assignment policy, or create new assignment policies that are either more restrictive or less so. Wayfinder's default assignment policy is assignment.members.

To see details of policies, see View all policies below.

caution

We do not recommend allowing users to assign permissions permanently to a human user of Wayfinder. Human users should use wf assume instead, as described in Assuming Roles.

Create an assignment policy

As a workspace admin, when you create an assigment policy for a role, you are telling Wayfinder:

  • Whom are you allowing to assign this role: one or more workspace members, a workspace role, everyone, etc.
  • The constraints on what they are permitted to assign the role to. In nearly all cases this is a robot. You can restrict the assignment to a specific robot, or all robots if needed.

Here are the options you can control on an assignment policy. These options can be used to allow someone to assign a role or to constrain the assignment:

OptionDescription
Workspace MemberAllow one or more specific workspace members to assign the role
All SubjectsAllow everyone to assign the role
Robot AccountConstrain the assignment to a selected robot
All RobotsConstrain the assignment to all robots
Subject ScopeAllow or constrain the assignment to a scope: users, robots, or kubernetes tokens
Workspace RoleAllow someone with a specific workspace role to assign the role. Example workspace roles: member, admin, or a workspace role you've created

To create an assignment policy:

  1. Run the command wf create policy assignment. For example:

    wf create policy assignment --role cluster.deployment

  2. Follow the prompts to answer questions that will create the policy.

    1. Answer Who should be able to apply this role. You can answer the question more than once to add to your selection. When done with this question, select Next.

      $ wf create policy assignment --role cluster.deployment
      ✔ Creating assignment policy on role: cluster.deployment
      ? Who should be able to apply this role
      ▸ Workspace Member - allows you to limit the scope by the workspace member
      All Subjects - allows you to scope to all subjects
      Robot Account - allows you to limit the scope by a specific robot
      All Robots - scopes the permission to all robots in wayfinder
      Subject Scope - limits the by the scope of the token (user, robot)
      Workspace Role - limits the scope by workspace role membership of the user
      ↷ Next
    2. Answer How should the role be constrained. You can answer the question more than once to add to your selection. When done with this question, select Next.

    3. Answer Cluster to apply the permission to, and then select Next. You can choose only one cluster.

  3. Confirm you want to apply this policy.

    Once you confirm, the policy is submitted and applied.

  4. To view all the policies, run wf get policy. Check the AGE column to see the policy you've just created.

View all policies

You can list all types of Wayfinder policies as well as see the details of the policy definitions. To identify the policies associated with robot role assignments, look for assign within the name of the policy.

To list policies or view policy details:

  1. To list all Wayfinder policies, run wf get policy.

    The response is something like the one below. This includes default Wayfinder policies, policies created by assignment or assume policies, or other custom policies:

      NAME                              ROLE                ENABLED     STATUS     AGE
    assignment.members - true Success 70d
    assume.admin - true Success 70d
    assume.members - true Success 70d
    cluster.admin-assume-tjh2d cluster.admin true Success 155m cluster.deployment-assign-fkbdl cluster.deployment true Success 7m22s
    cluster.deployment-assign-m5vlh cluster.deployment true Success 4m40s
    cluster.ingress.v1 - false Success 28d
    cluster.networkpolicies.v1 - true Success 28d
    cluster.serviceaccounts.v1 - true Success 28d
    cluster.services.v1 - true Success 28d
    default.clusters-release default.clusters true Success 28d
    default.members-release default.members true Success 28d
    default.robots-release default.robots true Success 28d
  2. To view the details of any policy, run wf get policy POLICY-NAME -o yaml.

    The kubernetes resource definition for the policy is displayed.

Disable or delete assignment policies

To disable a policy:

  1. Select a workspace in the UI, and then navigate to Access policy > User access policies.

  2. Find the policy you want to disable, and then click Disable.

    The policy is disabled, and an Enable button appears. You can re-enable the policy later by clicking this button.

CLI:

wf get policy
wf disable policy POLICY-NAME

To delete a policy:

caution

This cannot be undone.

  1. Select a workspace in the UI, and then navigate to Access policy > User access policies.
  2. Find the policy you want to delete, click the down arrow to expand its details, and then click Delete policy.
  3. Confirm that you want to delete the policy.

Create more roles

See Creating New Roles and Policies.

Revoke robot access

See Revoking Access.