Skip to main content
Version: 3.19 (latest)

Configure user roles and permissions

Big picture

Configure roles using Kubernetes RBAC and lock down user permissions to Calico Enterprise features and functions.

Value

Self-service is an important part of your Kubernetes platform networking and network security. When you allow developers to define policies with guardrails, you create more self-service in the CI/CD process. But network security architects require assurances that developers can access only the resources they are entitled to.

Concepts

Kubernetes RBAC authorization

The Calico Enterprise API server is an extension to the standard Kubernetes RBAC Authorization APIs. You configure fine-grained user permissions using Role, ClusterRole, RoleBindingand ClusterRoleBinding with the standard RBAC controls: get, list, watch, create, update, patch, delete.

FeaturesRBAC controls for...
Network policy- Tiered policy, including AWS security groups and federated services.
- Kubernetes network policy (in default tier)
- Calico Enterprise network policies including namespaces
- Staged policy, policy recommendation, policy preview
ComplianceReport management, generation, export, and status.
Visibility and troubleshootingElasticsearch logs: flow, audit, dns, intrusion detection, bgp
Multi-cluster managementManagement and managed clusters in single management plane.

Predefined roles and permissions

Calico Enterprise provides the following predefined roles and permissions:

tigera-ui-user

  • Basic user with access to Calico Enterprise Manager UI and Kibana:
    • List/view Calico Enterprise policy and tier resources in the projectcalico.org and networking.k8s.io API groups
    • List/view logs in Kibana

tigera-network-admin

  • Superuser access for Kibana (including Elastic user and license management), and all Calico resources in projectcalico.org and networking.k8s.io API groups (get, list, watch, create, update, patch, delete)

Additional resources

For RBAC details on any given feature, see the feature. For example: