Configuring project roles
Use project roles to manage user and group access to all namespaces within a project. A role assigned at the project level automatically applies to all nested namespaces.
Getting started
Make sure that:
- You have the project administrator or cluster administrator role.
- The project already exists. If not, create one.
Special roles
Stackland features two dedicated roles for managing projects:
stackland:admin: Project administrator role. It grants full access to all resources in the project, including management of namespaces and roles.stackland:project-member: Project member role. It grant view-only access to the project and its namespaces in the management console and tools.
Appointing a project administrator
Project administrators are appointed by the cluster administrator via the ProjectRoleBinding resource.
-
In the left-hand menu, select Projects.
-
Select the project from the list.
-
On the project side panel, click Access management.
-
In the Members tab, click + Add member.
-
In the Add member dialog box, specify the following:
- Subject: Select the user or group from the drop-down list.
- Role: Select Administrator.
-
Click Add.
Create the ProjectRoleBinding resource in your project's service namespace:
apiVersion: stackland.yandex.cloud/v1alpha1
kind: ProjectRoleBinding
metadata:
name: stackland-projects-team-alpha-admins
namespace: project-team-alpha
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: stackland:admin
subjects:
- kind: User
name: alice@stackland
- kind: Group
name: team-alpha-admins
Where:
metadata.name: Role binding name. It must be prefixed withstackland-projects-. This is a required field.metadata.namespace: Project's service namespace inproject-<project_name>format. This is a required field.roleRef.name: Role name. Set tostackland:adminfor the project administrator. This is a required field.subjects: List of subjects to assign the role to. The supported types areUser,Group, andServiceAccount. This is a required field.
Apply the manifest:
kubectl apply -f project-role-binding.yaml
The project administrator role grants the following privileges:
- Full access to all namespaces within the project.
- Permission to create and delete namespaces.
- Permission to assign roles to other users within the project.
Adding a project member
Project members have view access to the project and its namespaces via the UI and tools. To manage resources, a member requires additional roles with the appropriate permissions.
-
In the left-hand menu, select Projects.
-
Select the project from the list.
-
On the project side panel, click Access management.
-
In the Members tab, click + Add member.
-
In the Add member dialog box, specify the following:
- Subject: Select the user or group from the drop-down list.
- Role: Select Member.
-
Click Add.
apiVersion: stackland.yandex.cloud/v1alpha1
kind: ProjectRoleBinding
metadata:
name: stackland-projects-team-alpha-members
namespace: project-team-alpha
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: stackland:project-member
subjects:
- kind: User
name: bob@stackland
- kind: Group
name: team-alpha-members
Assigning a role across all project namespaces
A project administrator can apply an existing ClusterRole to all namespaces within the project.
apiVersion: stackland.yandex.cloud/v1alpha1
kind: ProjectRoleBinding
metadata:
name: stackland-projects-kafka-admins
namespace: project-team-alpha
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: stackland:editor
subjects:
- kind: Group
name: team-alpha-developers
Stackland will automatically propagate the RoleBinding into each project namespace.
Creating a custom project role
A project administrator can create a custom role available in all project namespaces.
-
Create the
ProjectRoleresource:apiVersion: stackland.yandex.cloud/v1alpha1 kind: ProjectRole metadata: name: stackland-projects-pg-admin namespace: project-team-alpha rules: - apiGroups: - postgresql.stackland.yandex.cloud resources: - postgresqlclusters verbs: - create - delete - patch - update - get - listWhere:
metadata.name: Role name. It must be prefixed withstackland-projects-. This is a required field.metadata.namespace: Project's service namespace. This is a required field.rules: List of access permissions in Kubernetes RBAC format. This is a required field.
-
Assign the role using
ProjectRoleBinding:apiVersion: stackland.yandex.cloud/v1alpha1 kind: ProjectRoleBinding metadata: name: stackland-projects-pg-admins namespace: project-team-alpha roleRef: apiGroup: rbac.authorization.k8s.io kind: ProjectRole name: stackland-projects-pg-admin subjects: - kind: Group name: team-alpha-pg-admins
Stackland will automatically create the relevant Role and RoleBinding in each project namespace.
Viewing assigned roles
- In the left-hand menu, select Projects.
- Select the project from the list.
- On the project side panel, click Access management.
The page displays three tabs:
- Members: List of users and groups with Member or Administrator roles.
- Project roles: List of custom roles in the project.
- Project role bindings: Table of bindings with the following columns: Name, Role, Subjects, and Creation date.
To get a list of project role bindings, run this command:
kubectl get projectrolebindings -n project-team-alpha
To get a list of custom roles in the project, run this command:
kubectl get projectroles -n project-team-alpha
Revoking a role
- In the left-hand menu, select Projects.
- Select the project from the list.
- On the project side panel, click Access management.
- In the Members tab, find the member.
- In the member row, click ⋯ and select Delete.
- Confirm the deletion.
Delete the corresponding ProjectRoleBinding resource.
kubectl delete projectrolebinding stackland-projects-kafka-admins -n project-team-alpha