Skip to main content
Version: 3.19 (latest)

Configure user roles and permissions

Big picture

Configure roles using Kubernetes RBAC and lock down user permissions to Calico Enterprise features and functions.


Self-service is an important part of your Kubernetes platform networking and network security. When you allow developers to define policies with guardrails, you create more self-service in the CI/CD process. But network security architects require assurances that developers can access only the resources they are entitled to.


Kubernetes RBAC authorization

The Calico Enterprise API server is an extension to the standard Kubernetes RBAC Authorization APIs. You configure fine-grained user permissions using Role, ClusterRole, RoleBindingand ClusterRoleBinding with the standard RBAC controls: get, list, watch, create, update, patch, delete.

FeaturesRBAC controls for...
Network policy- Tiered policy, including AWS security groups and federated services.
- Kubernetes network policy (in default tier)
- Calico Enterprise network policies including namespaces
- Staged policy, policy recommendation, policy preview
ComplianceReport management, generation, export, and status.
Visibility and troubleshootingElasticsearch logs: flow, audit, dns, intrusion detection, bgp
Multi-cluster managementManagement and managed clusters in single management plane.

Predefined roles and permissions

Calico Enterprise provides the following predefined roles and permissions:


  • Basic user with access to Calico Enterprise Manager UI and Kibana:
    • List/view Calico Enterprise policy and tier resources in the and API groups
    • List/view logs in Kibana


  • Superuser access for Kibana (including Elastic user and license management), and all Calico resources in and API groups (get, list, watch, create, update, patch, delete)

Additional resources

For RBAC details on any given feature, see the feature. For example: