Configure user roles and permissions
Big picture
Configure roles using Kubernetes RBAC and lock down user permissions to Calico Enterprise features and functions.
Value
Self-service is an important part of your Kubernetes platform networking and network security. When you allow developers to define policies with guardrails, you create more self-service in the CI/CD process. But network security architects require assurances that developers can access only the resources they are entitled to.
Concepts
Kubernetes RBAC authorization
The Calico Enterprise API server is an extension to the standard Kubernetes RBAC Authorization APIs. You configure fine-grained user permissions using Role, ClusterRole, RoleBindingand ClusterRoleBinding with the standard RBAC controls: get, list, watch, create, update, patch, delete.
| Features | RBAC controls for... |
|---|---|
| Network policy | - Tiered policy, including AWS security groups and federated services. - Kubernetes network policy (in default tier) - Calico Enterprise network policies including namespaces - Staged policy, policy recommendation, policy preview |
| Compliance | Report management, generation, export, and status. |
| Visibility and troubleshooting | Elasticsearch logs: flow, audit, dns, intrusion detection, bgp |
| Multi-cluster management | Management and managed clusters in single management plane. |
Predefined roles and permissions
Calico Enterprise provides the following predefined roles and permissions:
tigera-ui-user
- Basic user with access to Calico Enterprise Manager UI and Kibana:
- List/view Calico Enterprise policy and tier resources in the
projectcalico.organdnetworking.k8s.ioAPI groups - List/view logs in Kibana
- List/view Calico Enterprise policy and tier resources in the
tigera-network-admin
- Superuser access for Kibana (including Elastic user and license management), and all Calico resources in
projectcalico.organdnetworking.k8s.ioAPI groups (get, list, watch, create, update, patch, delete)
Additional resources
For RBAC details on any given feature, see the feature. For example: