Skip to content

Overview

Overview

The base roles that the platform includes out of the box provides a certain level of access to controller and cluster resources, the details of which are outlined here.

There are scenarios where more fine-grained access policies (than what is included with the platform's base roles) need to be configured for users. ZTKA (Zero-Trust) Custom Access enables customers to define custom RBAC definitions to control the access that users have to the clusters in the organization.

An example could be restricting users to read only access (get, list, watch verbs) for certain resources (e.g. pods, secrets) in a certain namespace. Only Org Admin can configure ZTKA Custom Access rules, policies, and custom roles.


Implementing ZTKA Custom Access

ZTKA Custom Access implementation involves the following three steps:

  • Step 1 - Create Rules: ClusterRole or Role YAML definition files are provided as part of this step, applicability of the rule is determined based on project/cluster selection

  • Step 2 - Create Policies: Policies is a collection of one or more rules that is referenced as part of Custom Roles

  • Step 3 - Custom Roles: A Custom Role configuration includes selection of a base role along with the necessary overlay ZTKA Custom Access policies

Important

Custom ZTKA Access definition specified for a user for a particular project/cluster overrides the ZTKA Access definition associated with the user's base role.


Scenarios

Platform Base Role K8s Role K8s RoleBindings
Namespace Admin or Namespace Read Only ClusterRole and the YAML file includes the label k8smgmt.io/bindingtype: rolebinding RoleBindings will be created in all the namespaces associated with the base role
Platform Base Roles other than Namespace Admin/Namespace Read Only ClusterRole and the YAML file includes the label k8smgmt.io/bindingtype: rolebinding ClusterRoleBindings will be created
Any Platform Base Role ClusterRole ClusterRoleBindings will be created
Any Platform Base Role Role RoleBindings will be created in the namespaces provided in the Role Definition file

ZTKA Custom Access workflow

The sequence diagram below captures the high level steps to create a Rules, Policies, and Custom Roles.

Step 1: ZTKA Custom Access Rules

sequenceDiagram
    Note over Login to Console: Only Org Admin
    Login to Console->>Navigate to ZTKA Custom Access Rules: From System menu
    Navigate to ZTKA Custom Access Rules->>Add Rules: Create new rule version
    Add Rules->>Save Changes: Settings: Artifact File, Project Selector, and Cluster Selector    
    Save Changes->>New Version: Edit to add multiple versions

Step 2: ZTKA Custom Access Policies

sequenceDiagram
    Navigate to ZTKA Custom Access Policies->>Add Policy: Create new policy version
    Add Policy->>Save Changes: Settings: General and ZTKA Rules
    Save Changes->>New Version: Edit to add multiple versions

Step 3: Custom Roles

sequenceDiagram
    Navigate to Custom Roles->>Add Role: Create new role
    Add Role->>Save Changes: Settings: Name, Base Role, and ZTKA Policies