APPUiO Control API: Organization
|This resource implements the "Manage Organizations" features.|
List operations on Kubernetes resources can not be filtered by RBAC, it’s a binary operation:
Resources can either be listed or not, there is no way to give access only to a sub-set.
To circumvent this limitation,
Organization is a virtual resource.
Organization resource represents a filtered and formatted list of standard Kubernetes
Namespace resources which have specific labels and annotations.
It is assumed that the
Organization resource is used for all operations, the represented
Namespace must not be directly manipulated.
apiVersion: organization.appuio.io/v1 kind: Organization metadata: name: acme-corp (1) spec: displayName: Acme Corp. (2)
Field mapping from the represented
apiVersion: v1 kind: Namespace metadata: name: acme-corp labels: appuio.io/resource.type: organization (1) annotations: organization.appuio.io/display-name: Acme Corp. (2)
|1||Identify resource type, used by the API server to filter for namespaces representing organizations|
|2||Reflected in the
Identifies the resource type in the scope of the APPUiO Control API
Display name of the organization
We use standard Kubernetes role-based access control for
Organizations with two distinct differences.
Access needs to be granted for
organizationsresources in API group
rbac.appuio.ioand not for resources in API group
organization.appuio.io. Permissions can be configured through both
RoleBindings, as well as
ClusterRoleBindings. Similarly to
Namespaces, permissions configured by a
watchverbs the API server will only return resources that the user also has permission to
By default there are two
ClusterRoles that configure access for organization members
View (read only) access to an organization
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: appuio-organization-viewer rules: - apiGroups: ["rbac.appuio.io"] resources: ["organizations"] verbs: ["get"] ... # Get and list permission for other resources
Admin (read / write) access to an organization
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: appuio-organization-admin rules: - apiGroups: ["rbac.appuio.io"] resources: ["organizations"] verbs: ["get", "patch", "edit"] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["rolebindings"] verbs: ["get", "list", "watch", "patch", "edit", "delete"] ... # Edit permission for other resources
Creating, listing, and watching organizations can be done by all authenticated users.
When creating an
RoleBinding in the created
Namespace is generated.
RoleBinding assigns the
ClusterRole to the creating user.
This allows the creator to manage the new
Organization and assign permissions to new members.
All members of an organization are configured in an
apiVersion: appuio.io/v1 kind: OrganizationMembers metadata: name: members namespace: org-acme-corp spec: userRefs: (1) - name: kate.demo - name: peter.muster status: resolvedUserRefs: (2) - name: kate.demo - name: peter.muster