Configure user roles and permissions
Big picture​
Configure roles using Kubernetes RBAC and lock down user permissions to Calico Enterprise features and functions.
Value​
Self-service is an important part of your Kubernetes platform networking and network security. When you allow developers to define policies with guardrails, you create more self-service in the CI/CD process. But network security architects require assurances that developers can access only the resources they are entitled to.
Concepts​
Kubernetes RBAC authorization​
The Calico Enterprise API server is an extension to the standard Kubernetes RBAC Authorization APIs. You configure fine-grained user permissions using Role, ClusterRole, RoleBindingand ClusterRoleBinding with the standard RBAC controls: get, list, watch, create, update, patch, delete.
| Features | RBAC controls for... |
|---|---|
| Network policy | - Tiered policy, including AWS security groups and federated services. - Kubernetes network policy (in default tier) - Calico Enterprise network policies including namespaces - Staged policy, policy recommendation, policy preview |
| Compliance | Report management, generation, export, and status. |
| Visibility and troubleshooting | Elasticsearch logs: flow, audit, dns, intrusion detection, bgp |
| Multi-cluster management | Management and managed clusters in single management plane. |
Predefined roles and permissions​
Calico Enterprise provides the following predefined roles and permissions:
tigera-ui-user
- Basic user with access to Calico Enterprise Manager UI and Kibana:
- List/view Calico Enterprise policy and tier resources in the
projectcalico.organdnetworking.k8s.ioAPI groups - List/view logs in Kibana
- List/view Calico Enterprise policy and tier resources in the
tigera-network-admin
- Superuser access for Kibana (including Elastic user and license management), and all Calico resources in
projectcalico.organdnetworking.k8s.ioAPI groups (get, list, watch, create, update, patch, delete)
Additional resources​
For RBAC details on any given feature, see the feature. For example: