Skip to main content
Version: 1.4

Creating New Roles and Policies

Roles and policies are essentially Kubernetes resource definitions. With some knowledge of Open Policy Agent (OPA), workspace administrators can create their own custom Wayfinder roles and policies. You can start from scratch, or copy and customize one of Wayfinder's roles or policies to suit your needs. Once you create your resource definition for a new role or policy, you apply it to Wayfinder using the CLI.

This topic shows an example of adding a new role. The same principles apply to creating a new assumption or assignment policy.

For more information on writing other types of custom security policies see:

View existing roles or policies

To view an existing role or policy:

  1. Get a list of roles or policies using one of these commands:

    • wf get role
    • wf get policy
  2. View details of a role or policy using one of these commands:

    • wf get role ROLE-NAME -o yaml
    • wf get policy POLICY-NAME -o yaml

    You can redirect to a file by adding > NAME.yaml to the commands.

Example: Add a role

Let's say a developer creates a robot that needs additional permissions not covered in the wf.deployment role. While the permissions granted by this role cover the majority of those required to deploy, this developer is using a mongodb operator that requires access to additional API groups in kubernetes.

As a workspace administrator, you can add a role that grants the required permissions by:

  • Creating a new role for the new permissions
  • Creating an assignment policy that allows workspace members to assign the role to a robot

The developer can then assign both the wf.deployment role and your new role to the robot.

To add the new role and create an assignment policy:

  1. Create a new role named mongodb-io using a custom resource, as shown in this .yaml file:

    kind: PolicyPlan
    name: mongodb-io
    description: |
    Provides the ability to deploy and manage a mongodb cluster via
    the very special operator.

    - resource:
    - instances
    - clusters
    - "*"
    action: allow
    message: Allows access to mongodb operator apigroups
  2. To apply the new role to Wayfinder, use the path to the file above, and run:

    wf apply -f PATH-TO-FILE.yaml

  3. Create an assignment policy, permitting workspace members to assign the role to robots:

    wf create policy assignment --role mongodb-io

Now the developer can add this role to the robot, along with the wf.deployment role.