By default, Wayfinder does not assign static permissions to robots/service accounts when they are created. Instead, users must explicitly assign roles to robots. Assignment Policies put constraints on how users are permitted to assign static permissions to a robot. For more information, see Assigning Roles.
As a workspace administrator, you can use Wayfinder's default assignment policy, or create new assignment policies that are either more restrictive or less so. Wayfinder's default assignment policy is
To see details of policies, see View all policies below.
We do not recommend allowing users to assign permissions permanently to a human user of Wayfinder. Human users should use
wf assume instead, as described in Assuming Roles.
Create an assignment policy
As a workspace admin, when you create an assigment policy for a role, you are telling Wayfinder:
- Whom are you allowing to assign this role: one or more workspace members, a workspace role, everyone, etc.
- The constraints on what they are permitted to assign the role to. In nearly all cases this is a robot. You can restrict the assignment to a specific robot, or all robots if needed.
Here are the options you can control on an assignment policy. These options can be used to allow someone to assign a role or to constrain the assignment:
|Workspace Member||Allow one or more specific workspace members to assign the role|
|All Subjects||Allow everyone to assign the role|
|Robot Account||Constrain the assignment to a selected robot|
|All Robots||Constrain the assignment to all robots|
|Subject Scope||Allow or constrain the assignment to a scope: users, robots, or kubernetes tokens|
|Workspace Role||Allow someone with a specific workspace role to assign the role. Example workspace roles: |
To create an assignment policy:
Run the command
wf create policy assignment. For example:
wf create policy assignment --role cluster.deployment
Follow the prompts to answer questions that will create the policy.
Answer Who should be able to apply this role. You can answer the question more than once to add to your selection. When done with this question, select
$ wf create policy assignment --role cluster.deployment
✔ Creating assignment policy on role: cluster.deployment
? Who should be able to apply this role
▸ Workspace Member - allows you to limit the scope by the workspace member
All Subjects - allows you to scope to all subjects
Robot Account - allows you to limit the scope by a specific robot
All Robots - scopes the permission to all robots in wayfinder
Subject Scope - limits the by the scope of the token (user, robot)
Workspace Role - limits the scope by workspace role membership of the user
Answer How should the role be constrained. You can answer the question more than once to add to your selection. When done with this question, select
Answer Cluster to apply the permission to, and then select
Next. You can choose only one cluster.
Confirm you want to apply this policy.
Once you confirm, the policy is submitted and applied.
To view all the policies, run
wf get policy. Check the
AGEcolumn to see the policy you've just created.
View all policies
You can list all types of Wayfinder policies as well as see the details of the policy definitions. To identify the policies associated with robot role assignments, look for
assign within the name of the policy.
To list policies or view policy details:
To list all Wayfinder policies, run
wf get policy.
The response is something like the one below. This includes default Wayfinder policies, policies created by assignment or assume policies, or other custom policies:
NAME ROLE ENABLED STATUS AGE
assignment.members - true Success 70d
assume.admin - true Success 70d
assume.members - true Success 70d
cluster.admin-assume-tjh2d cluster.admin true Success 155m cluster.deployment-assign-fkbdl cluster.deployment true Success 7m22s
cluster.deployment-assign-m5vlh cluster.deployment true Success 4m40s
cluster.ingress.v1 - false Success 28d
cluster.networkpolicies.v1 - true Success 28d
cluster.serviceaccounts.v1 - true Success 28d
cluster.services.v1 - true Success 28d
default.clusters-release default.clusters true Success 28d
default.members-release default.members true Success 28d
default.robots-release default.robots true Success 28d
To view the details of any policy, run
wf get policy POLICY-NAME -o yaml.
The kubernetes resource definition for the policy is displayed.
Disable or delete assignment policies
To disable a policy:
Select a workspace in the UI, and then navigate to Access policy > User access policies.
Find the policy you want to disable, and then click Disable.
The policy is disabled, and an Enable button appears. You can re-enable the policy later by clicking this button.
wf get policy
wf disable policy POLICY-NAME
To delete a policy:
This cannot be undone.
- Select a workspace in the UI, and then navigate to Access policy > User access policies.
- Find the policy you want to delete, click the down arrow to expand its details, and then click Delete policy.
- Confirm that you want to delete the policy.
Create more roles
Revoke robot access
See Revoking Access.