Alauda Container Platform

Create Role

Users with platform role permissions can create custom roles with permissions that are less than or equal to their own role permissions based on actual usage scenarios. When creating a role, you can configure:

  • Platform functional module operation permissions
  • Access permissions for user-defined resources (Kubernetes CRD)

TOC

Create Role via Console

Basic Information Configuration

  1. In the left navigation bar, click Users > Roles.
  2. Click Create Role.
  3. Configure the role's basic information:

Role Type

When assigning roles to users, the permission scope will be limited based on the role type:

  • Platform Role: Displays all platform permissions
  • Project Role: Displays permissions under:
    • Project Management
    • Container Platform
    • Service Mesh
    • DevOps
    • Middleware
  • Namespace Role: Displays permissions under:
    • Project Management
    • Container Platform
    • Service Mesh
    • DevOps
    • Middleware
  1. Click Next.

View Configuration

In the view configuration section, you control the role's permission to access specified views. Views that are not selected will not be displayed in the top navigation for users with this role.

NOTE

  1. Your account's role permissions limit which view cards you can configure. For example:

    • If your account doesn't have the Project Management view permission
    • The Project Management view card will be grayed out when creating a role
    • You can only create roles with permissions equal to or lower than your own role

  2. View Entry Status:

    • If a view's Show Entry is turned off in the Products function
    • The view's permissions in Permission Configuration will still take effect
    • The view will be temporarily inaccessible until the entry is enabled
    • Once enabled, the previously selected permissions will work normally

Permission Configuration

  1. Click Add Custom Permission in the upper left corner of the page.
  2. Configure permissions for the role to operate custom resources (Kubernetes CRD):
ParameterDescription
Group NameThe name of the permission group. Groups are displayed below the permission module in the order they were added.
Resource NameThe name of the resource. Press Enter to add multiple custom resource names.
Operation PermissionThe permission to operate the resource.
  1. Click Create.

Create Role via yaml

You can submit the following YAML in the global cluster to create a role

apiVersion: auth.alauda.io/v1beta1
kind: RoleTemplate
metadata:
  annotations:
    cpaas.io/description: "" ## Role description
    cpaas.io/display-name: Project Manager ## Role display name
  labels:
    auth.cpaas.io/roletemplate.level: project  ## Role level: platform, project, namespace
  name: project-admin-system-copy212
spec:
  customRules: ## Custom rules based on Kubernetes ClusterRole PolicyRule fields
    - apiGroups: ## APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
        - "" ## Core API group
        - apps ## Apps API group
      resources: ## Resources is a list of resources this rule applies to. "*" represents all resources.
        - "*" ## All resources
      resourceNames: ## ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. Omit this field to allow all resource names.
        - "example-resource" ## Optional: specific resource names
      verbs: ## Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. "*" represents all verbs. Common verbs include: get, list, watch, create, update, patch, delete, deletecollection.
        - get ## Get a specific resource
        - list ## List resources
        - watch ## Watch resources for changes
        - create ## Create new resources
        - update ## Update existing resources
        - patch ## Partially update resources
        - delete ## Delete resources
        - deletecollection ## Delete collections of resources
    - apiGroups: ## Example: Additional rule for non-resource URLs (only applicable for ClusterRoles)
        - ""
      nonResourceURLs: ## NonResourceURLs is a set of partial urls that a user should have access to. "*" are allowed, but only as the full, final step in the path. Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources or non-resource URL paths, but not both.
        - "/api"
        - "/api/*"
        - "/apis"
        - "/apis/*"
      verbs:
        - get
        - list