Roles and policies are essentially Kubernetes resource definitions. With some knowledge of Open Policy Agent (OPA), workspace administrators can create their own custom Wayfinder roles and policies. You can start from scratch, or copy and customize one of Wayfinder's roles or policies to suit your needs. Once you create your resource definition for a new role or policy, you apply it to Wayfinder using the CLI.
For more information on writing other types of custom security policies see:
View existing roles or policies
To view an existing role or policy:
Get a list of roles or policies using one of these commands:
wf get role
wf get policy
View details of a role or policy using one of these commands:
wf get role ROLE-NAME -o yaml
wf get policy POLICY-NAME -o yaml
You can redirect to a file by adding
> NAME.yamlto the commands.
Example: Add a role
Let's say a developer creates a robot that needs additional permissions not covered in the
wf.deployment role. While the permissions
granted by this role cover the majority of those required to deploy,
this developer is using a mongodb operator
that requires access to additional API groups in kubernetes.
As a workspace administrator, you can add a role that grants the required permissions by:
- Creating a new role for the new permissions
- Creating an assignment policy that allows workspace members to assign the role to a robot
The developer can then assign both the
wf.deployment role and your new role to the robot.
To add the new role and create an assignment policy:
Create a new role named
mongodb-iousing a custom resource, as shown in this
Provides the ability to deploy and manage a mongodb cluster via
the very special operator.
message: Allows access to mongodb operator apigroups
To apply the new role to Wayfinder, use the path to the file above, and run:
wf apply -f PATH-TO-FILE.yaml
Create an assignment policy, permitting workspace members to assign the role to robots:
wf create policy assignment --role mongodb-io
Now the developer can add this role to the robot, along with the