In enterprise bussiness scenarios, the resource hierarchy of KubeSphere is divided into three levels:
Multi-level division is also the basis to realize multi-tenant and resource isolation. For the user to create an account, the first by the cluster admin or workspace by invite new members to join the workspace, and then can be under the same corporate space project or enterprise project admin, invited to join the project and enterprise engineering, invited the admin can give the corresponding role for new members, and different roles with different operating rights, the role of the platform built in several commonly used for use. At the same time, the platform supports the admin to customize the role and permission list. The following describes the authority management and built-in roles at different levels.
Roles are divided into three levels: cluster, workspace, and project/DevOps projects, which relate users to different levels of resources.
The reason why multiple built-in roles are divided in cluster and cluster space is to conduct fine-grained management according to the permissions of different roles, so that members with different roles can more accurately view and manage resources in cluster or workspace. Only after the permissions of different roles are subdivided can the control and isolation of different resources in multi-tenant mode be more secure. The following figure summarizes which permissions different roles have in the cluster and workspace.
Overview of Built-in Role Permissions
Cluster includes user management, workspace management and resource management at the level of various clusters. Cluster level authority, mainly for nodes, cluster monitoring, storage type, workspace and other cluster level resource control.
Built-in cluster role:
|cluster-admin||Cluster admin can manage all the resources in the cluster.|
|workspaces-manager||Manage all the workspaces in the cluster and the projects and engineering resources below.|
|cluster-regular||Regular users, they do not have any resource operation rights before they are invited to join the workspace.|
Individual tenants, projects, and Devops projects are all in the workspace, which also has members that can be added from the cluster's user pool. When an workspace is created, the creator defaults to the admin role under that space. The admin of the workspace can create project, DevOps engineering resources in the workspace and invite users to join the workspace from the user pool of the cluster.
Built-in workspace role:
|workspace-admin||Workspace manager, can manage all resources under the workspace.|
|workspace-regular||Workspace regular member to create projects and projects in the workspace.|
|workspace-viewer||Observer of the workspace to view all resource information in the workspace.|
Cluster computing resource virtual partition, the project has a resource quota limit. When a project, DevOps project is created, the creator defaults to the admin role under the project or DevOps project. Users can be searched and added from the user pool under the workspace by the project admin, who invites members within the project.
Built-in project role:
|admin||project manager, can manage all the resources under the project.|
|operator||project maintainer manages resources under the project in addition to users and roles.|
|viewer||project viewer that can view all the resources under a project.|
Overview of built-in role permissions
|Pods management||remote connection||remote connection||remote connection|
|External Access management||view/create/edit/delete||view/create/edit/delete||view|
|Routers management to||view/create/edit/delete||view/create/edit/delete||view|
Facilitate fine-grained management of DevOps projects. The admin of the DevOps project search and add users from the user pool under the workspace.
Built-in DevOps engineering roles:
|owner||the owner of the project, can do all the actions of the project.|
|Maintainer||can maintain credentials and pipeline configuration within the project.|
|Developer||can trigger and view pipeline.|
|Reporter||can check pipeline status.|