Authorization Enterprise

This section provides a recommended way to configure RBAC in the context of policies. It is oriented to the journey that you expect your users to have.

View Resources

The policy journey in the UI involves several resources. We have the Policies that are used by the agent, the resulting Violations when the agent enforces those policies, and the PolicyConfigs that the user can configure to override policy parameters. The violations are essentially kubernetes events that contain the Validation object.

In order to view those resources, users would need to have read access to the policies, policysconfigs, and events resource.

An example of a configuration to achieve this purpose could be seen below with policies-reader role and developer-policies-reader cluster role binding, to allow a group developer to access all the policy-related resources.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: policies-reader
rules:
  - apiGroups: ["pac.weave.works"]
    resources: ["policies", "policyconfigs"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: developer-policies-reader
subjects:
  - kind: Group
    name: developer
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: policies-reader
  apiGroup: rbac.authorization.k8s.io