Skip to main content

Handling group attributes

You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using the Manage the system (PSA) module. To do this, select Kubernetes Cluster from the Manage the system > Resources > Group attributes > Target system type menu.

For information about the native Kubernetes Cluster attributes managed by Bravura Security Fabric , consult your Kubernetes Cluster documentation.

The multi-valued resource attribute rule is a required attribute for creating a Role or a ClusterRole , which needs to be set to specify what permissions the role grants. The format for the attribute is the json format from the Kubernetes API. For example:

"apiGroups":["apps"],"resources":["deployments"],"verbs":["get","list","watch"].

The rule attribute will also be listed in this format.

The resource attribute roleRef is required for creating a RoleBinding or ClusterRoleBinding , which needs to be set to determine what Role or ClusterRole the binding applies to. The value should be the Role or ClusterRole’s longid . For example: RoleBinding|default|Rolebinding .

The resource attribute namespace can be specified, if none is specified the Kubernetes API will use the "default" namespace.

When creating groups:

  • Only Roles, ClusterRoles, RoleBindings and ClusterRoleBindings can be created.

  • For creating a Role or a ClusterRole the multi-valued attribute rule is required to be set for specifying which permissions the role grants.

  • For creating a RoleBinding or ClusterRoleBinding the roleRef attribute is required to be set to determine which Role or ClusterRole the binding applies to. The value should be the Role or ClusterRole’s longid.

  • namespace can be specified for binding Role, if none is specified the Kubernetes API will use the "default" namespace. For ClusterRole and ClusterRoleBinding no namespace cannot be specified.

The connector agtkebe lists external users that are members of at least one binding as there is no full list of all known external users.

Adding users to groups is only valid in the case of adding service accounts or external users to RoleBindings or ClusterRoleBindings .

Adding groups to groups is only valid in the case of adding external groups to RoleBindings or ClusterRoleBindings .

In this section: