Documentation Index
Fetch the complete documentation index at: https://docs.macstadium.com/llms.txt
Use this file to discover all available pages before exploring further.
Admin only: All rolebinding operations require administrative privileges.
Understanding RBAC in Orka
Orka relies on RBAC (role-based access control) for the management of user access to resources. In Orka, RBAC consists of the following elements:
- Roles: A set of permissions. Roles are managed by MacStadium.
- Subjects: Users and service accounts which can be bound to a role. Subjects are managed by Orka users with administrative privileges.
- Namespaces: Groups of resources dedicated to specific users or service accounts. Namespaces are managed by Orka users with administrative privileges.
- Rolebindings: K8s objects describing which subjects belong to which role and which subjects can access which namespaces. Rolebindings are managed by Orka users with administrative privileges.
Default access:
- All admin users have access to all namespaces
- All non-admin users have user access to the
orka-default namespace
Granting access:
- To grant a user access to a specific namespace, add that user as a subject to the rolebinding for the namespace
- Service accounts automatically have access to the namespace where they were created
- To grant a service account access to a specific namespace, add that service account as a subject to the rolebinding for the namespace
If --namespace is not set, rolebinding commands operate in the orka-default namespace. The shorthand alias for rolebinding is rb.
Managing rolebindings
orka3 rolebinding add-subject
Add a subject to the rolebinding for the specified namespace. This grants the user or the service account access to the specified namespace.
Syntax:
orka3 rolebinding add-subject --namespace TARGET_NAMESPACE --user EMAIL_1[,EMAIL_2,...] AND/OR --serviceaccount SA_NAMESPACE_1:SERVICE_ACCOUNT_1[,SA_NAMESPACE_2:SERVICE_ACCOUNT_2,...] [flags]
-h, --help Display help for add-subject
-s, --serviceaccount strings Service accounts (NAMESPACE:SERVICE_ACCOUNT format, comma-separated)
-u, --user strings Users (email addresses, comma-separated)
-n, --namespace string (Optional) Target namespace (default "orka-default")
# Grant a user access to a namespace
orka3 rb add-subject --namespace orka-test --user user@company.com
# Grant multiple users access to a namespace
orka3 rb add-subject --namespace orka-test --user user1@company.com,user2@company.com
# Grant a service account access to a namespace
orka3 rb add-subject --namespace orka-test --serviceaccount orka-default:sa-jenkins
# Grant multiple service accounts access
orka3 rb add-subject --namespace orka-test --serviceaccount orka-default:sa-jenkins,orka-production:sa-release-builds
# Grant multiple users and service accounts access
orka3 rb add-subject --namespace orka-test --user user1@company.com,user2@company.com --serviceaccount orka-default:sa-jenkins,orka-production:sa-release-builds
orka3 rolebinding list-subjects
List all rolebinding subjects, along with their kind, in the orka-default namespace or another specified namespace.
Syntax:
orka3 rolebinding list-subjects [--namespace TARGET_NAMESPACE] [--output wide|json] [flags]
-h, --help Display help for list-subjects
-o, --output string (Optional) Output format: table (default)|wide|json
-n, --namespace string (Optional) Namespace scope (default "orka-default")
# List subjects in the 'orka-default' namespace rolebinding
orka3 rb list-subjects
# List subjects in a specific namespace rolebinding
orka3 rb list-subjects --namespace orka-test
orka3 rolebinding remove-subject
Remove a subject from a rolebinding. This revokes the user or service account access to the specified namespace.
Syntax:
orka3 rolebinding remove-subject --user EMAIL_1[,EMAIL_2,...] AND/OR --serviceaccount SA_NAMESPACE_1:SERVICE_ACCOUNT_1[,SA_NAMESPACE_2:SERVICE_ACCOUNT_2,...] [--namespace TARGET_NAMESPACE] [flags]
-h, --help Display help for remove-subject
-s, --serviceaccount strings Service accounts to remove (NAMESPACE:SERVICE_ACCOUNT format, comma-separated)
-u, --user strings Users to remove (email addresses, comma-separated)
-n, --namespace string (Optional) Target namespace (default "orka-default")
# Revoke access to a namespace for a user
orka3 rb remove-subject --namespace orka-test --user user@company.com
# Revoke access for multiple users
orka3 rb remove-subject --namespace orka-test --user user1@company.com,user2@company.com
# Revoke access for a service account
orka3 rb remove-subject --namespace orka-test --serviceaccount orka-default:sa-jenkins
# Revoke access for multiple service accounts
orka3 rb remove-subject --namespace orka-test --serviceaccount orka-default:sa-jenkins,orka-production:sa-release-builds
# Revoke access for multiple users and service accounts
orka3 rb remove-subject --namespace orka-test --user user1@company.com,user2@company.com --serviceaccount orka-default:sa-jenkins,orka-production:sa-release-builds
Common workflows
Adding and removing access
Common workflow:
- Create a namespace:
orka3 namespace create orka-test
- Move nodes to the namespace:
orka3 node namespace mini-1 orka-test
orka3 node namespace mini-2 orka-test
- Grant users access:
orka3 rb add-subject --namespace orka-test --user user@company.com
- Grant service accounts access:
orka3 rb add-subject --namespace orka-test --serviceaccount orka-default:sa-jenkins
- Verify access:
orka3 rb list-subjects --namespace orka-test
Service account access
Service accounts are automatically granted access to the namespace where they are created. To grant a service account access to additional namespaces, use the rolebinding commands:
# Create service account in orka-default
orka3 sa create sa-jenkins
# Grant access to orka-test namespace
orka3 rb add-subject --namespace orka-test --serviceaccount orka-default:sa-jenkins
# Grant access to orka-production namespace
orka3 rb add-subject --namespace orka-production --serviceaccount orka-default:sa-jenkins
