Hub RBAC
This guide is only applicable for administrators who've deployed self-hosted Spaces. For general RBAC in Upbound, read Upbound RBAC.
This guide explains how to authorize actions on resources in a disconnected Space, on the Kubernetes cluster hosting the Spaces software. With Kubernetes Hub RBAC, you can use traditional Kubernetes RBAC to define roles and permissions.
Enable Kubernetes Hub authorization​
To enable Kubernetes Hub Authentication in your Space, you need:
- A Kubernetes cluster with RBAC enabled
authorization.hubRBACset totrue(enabled by default)
Users can authenticate to the single-tenant Space with their Kubernetes credentials using this method.
Configure Kubernetes RBAC​
To configure Kubernetes RBAC in your Disconnected Space, you need to create ClusterRoles and Roles for defining access to your resources. For example:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: controlplane-getter
rules:
- apiGroups: ["spaces.upbound.io"]
resources: ["controlplanes"]
verbs: ["get", "list", "watch"]
Next, create ClusterRoleBindings and RoleBindings to assign roles to subjects like users, groups, or service accounts:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: controlplane-getters
subjects:
- kind: User
name: upbound:(user|robot):<username>
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: controlplane-getter
apiGroup: rbac.authorization.k8s.io
The subject in this example can contain teams (upbound:team:<uuid>) or org roles (upbound:org-role:admin|member) depending on your role needs.
Upbound RBAC integration​
You can use the special verbs admin, edit and view for giving a subject access to a control plane:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: controlplane-editor
rules:
- apiGroups: ["spaces.upbound.io"]
resources: ["controlplanes/k8s"]
verbs: ["edit"] # or "admin" or "view", depending on access level