Handling attributes
There are multiple kinds of objects listed as Users and multiple types of roles and groups listed as Groups. The IDs for objects of this connector are in the format of kind|namespace|name with a separating character "|" that is configurable in the address line.
The kind attribute or the first portion of the ID can be used to identify the object type.
Service accounts (kind=ServiceAccount) and external users (kind=User) are listed as users; whereas roles (kind=Role), clusterroles (KIND=CLUSTERROLE), rolebindings (kind=RoleBinding), clusterrolebindings (kind=ClusterRoleBinding) and external groups (kind=Group) are listed as groups.
The middle namespace portion will not exist for objects without a namespace , such as cluster roles or cluster role bindings.
Handling account attributes
You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using the Manage the system (PSA) module. To do this, select Kubernetes Cluster from the Manage the system > Resources > Account attributes > Target system type menu.
For information about the native Kubernetes Cluster attributes managed by Bravura Security Fabric , consult your Kubernetes Cluster documentation.
Bravura Security Fabric explicitly handles the following attributes and pseudo-attributes when creating or modifying recipient accounts for Kubernetes Cluster target systems:
The _binding attribute is a required attribute for create operation and its value should be a longID for RoleBinding or ClusterRoleBinding .
Kubernetes Cluster grants permissions defined in a role to a user or set of users via role binding. The create operation is used for external users only and it functions as GRUA (add user to group) operation. The operation adds an external user to RoleBinding or ClusterRoleBinding which is specified in the _binding attribute in a create new user request. _binding is a required attribute for create operation and its value should be a longID for RoleBinding or ClusterRoleBinding .
Handling group attributes
You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using the Manage the system (PSA) module. To do this, select Kubernetes Cluster from the Manage the system > Resources > Group attributes > Target system type menu.
For information about the native Kubernetes Cluster attributes managed by Bravura Security Fabric , consult your Kubernetes Cluster documentation.
The multi-valued resource attribute rule is a required attribute for creating a Role or a ClusterRole , which needs to be set to specify what permissions the role grants. The format for the attribute is the json format from the Kubernetes API. For example:
"apiGroups":["apps"],"resources":["deployments"],"verbs":["get","list","watch"].
The rule attribute will also be listed in this format.
The resource attribute roleRef is required for creating a RoleBinding or ClusterRoleBinding , which needs to be set to determine what Role or ClusterRole the binding applies to. The value should be the Role or ClusterRole’s longid . For example: RoleBinding|default|Rolebinding .
The resource attribute namespace can be specified, if none is specified the Kubernetes API will use the "default" namespace.
When creating groups:
Only Roles, ClusterRoles, RoleBindings and ClusterRoleBindings can be created.
For creating a Role or a ClusterRole the multi-valued attribute rule is required to be set for specifying which permissions the role grants.
For creating a RoleBinding or ClusterRoleBinding the roleRef attribute is required to be set to determine which Role or ClusterRole the binding applies to. The value should be the Role or ClusterRole’s longid.
namespace can be specified for binding Role, if none is specified the Kubernetes API will use the "default" namespace. For ClusterRole and ClusterRoleBinding no namespace cannot be specified.
The connector agtkebe lists external users that are members of at least one binding as there is no full list of all known external users.
Adding users to groups is only valid in the case of adding service accounts or external users to RoleBindings or ClusterRoleBindings .
Adding groups to groups is only valid in the case of adding external groups to RoleBindings or ClusterRoleBindings .