Bind a user or group to a default role

You can choose one of the following two approaches to bind a user or group to a default role:

  • Use the Tanzu Application Platform RBAC CLI plug-in, which only supports binding Tanzu Application Platform (commonly known as TAP) default roles.
  • Use Kubernetes role-based access control (RBAC) role binding.

VMware recommends that you use the Tanzu Application Platform RBAC CLI plug-in. This CLI plug-in simplifies the process by binding the cluster-scoped resource permissions at the same time as the namespace-scoped resource permissions, where applicable, for each default role. The following sections cover the Tanzu Application Platform RBAC CLI plug-in.

Prerequisites

Before you can bind a user or group to a default role, you must:

  • Download the latest Tanzu CLI version.
  • Download the Tanzu Application Platform RBAC CLI plug-in tar.gz file from Tanzu Network.
  • Have admin access to the cluster.
  • Configure an authentication solution for the cluster. You can use Pinniped or the authentication service native to your Kubernetes distribution.

Install the Tanzu Application Platform RBAC CLI plug-in

Follow these steps to install the Tanzu Application Platform RBAC CLI plug-in:

Caution

The Tanzu Application Platform RBAC CLI plug-in is currently in beta and is intended for evaluation and test purposes only.

  1. Untar the tar.gz file:

    tar -zxvf NAME-OF-THE-TAR

  2. Install the Tanzu Application Platform RBAC CLI plug-in locally on your operating system:

    macOS 
    tanzu plugin install rbac --local darwin-amd64
    Linux 
    tanzu plugin install rbac --local linux-amd64
    Windows 
    tanzu plugin install rbac --local windows-amd64

(Optional) Use a different kubeconfig location

You can use a different kubeconfig location by running:

tanzu rbac --kubeconfig PATH-OF-KUBECONFIG binding add --user USER --role ROLE --namespace NAMESPACE
Note

The environment variable KUBECONFIG is not implemented. You must use the --kubeconfig flag to enter a different location. Otherwise the default ~/.kube/config is used.

For example:

$ tanzu rbac --kubeconfig /tmp/pinniped_kubeconfig.yaml binding add --user [email protected] --role app-editor --namespace user-ns

Add the specified user or group to a role

Add a user or group to a role by running:

tanzu rbac binding add --user USER --role ROLE --namespace NAMESPACE

tanzu rbac binding add --group GROUP --role ROLE --namespace NAMESPACE

For example:

$ tanzu rbac binding add --user [email protected] --role app-editor --namespace user-ns

Get a list of users and groups from a role

Get a list of users and groups from a role by running:

tanzu rbac binding get --role ROLE --namespace NAMESPACE

For example:

$ tanzu rbac binding get --role app-editor --namespace user-ns

Remove the specified user or group from a role

Remove a user or group from a role by running:

tanzu rbac binding delete --user USER --role ROLE --namespace NAMESPACE

tanzu rbac binding delete --group GROUP --role ROLE --namespace NAMESPACE

For example:

$ tanzu rbac binding delete --user [email protected] --role app-editor --namespace user-ns

Error logs

Authorization error logs might include the following errors:

  • Permission Denied:

    The current user does not have permissions to create or edit rolebinding objects. Use an admin account when using the RBAC CLI.

    Error: rolebindings.rbac.authorization.k8s.io "app-operator" is forbidden: User "<subject>" cannot get resource "rolebindings" in API group "rbac.authorization.k8s.io" in the namespace "namespace"
Usage:
tanzu rbac binding add [flags]
Flags:
-g, --group string User Group
-h, --help help for add
-n, --namespace string Namespace
-r, --role string Role
-u, --user string User Name

Global Flags:
--kubeconfig string kubeconfig file

  • Already Bound Error:

    Adding a subject, user or group, to a role that already has the subject produces the following error:

    Error: User ‘test-user’ is already bound to 'app-operator' role
Usage:
tanzu rbac binding add [flags]
Flags:
-g, --group string User Group
-h, --help help for add
-n, --namespace string Namespace
-r, --role string Role
-u, --user string User Name

Global Flags:
--kubeconfig string kubeconfig file

  • Could Not Find Error:

    When removing a subject from a role, this error can occur in the following two scenarios:

    1. The rolebinding does not exist.
    2. The subject does not exist in the rolebinding.

    Ensure the rolebinding exists and that the subject name is correctly spelled.

    Error: Did not find User 'test-user' in RoleBinding 'app-operator'
Usage:
tanzu rbac binding delete [flags]

Flags:
-g, --group string User Group
-h, --help help for delete
-n, --namespace string Namespace
-r, --role string Role
-u, --user string User Name

Global Flags:
--kubeconfig string kubeconfig file

  • Object Has Been Modified Error:

    This error is a race condition caused by running multiple RBAC CLI actions at the same time. Rerunning the RBAC CLI might fix the issue.

    Removed User 'test-user' from RoleBinding 'app-operator'
Removed User 'test-user' from ClusterRoleBinding 'app-operator-cluster-access'
Error: Operation cannot be fulfilled on rolebindings.rbac.authorization.k8s.io "app-operator": the object has been modified; please apply your changes to the latest version and try again
Usage:
tanzu rbac binding delete [flags]

Flags:
-g, --group string User Group
-h, --help help for delete
-n, --namespace string Namespace
-r, --role string Role
-u, --user string User Name

Troubleshooting

  1. Get a list of permissions for a user or a group:

    export NAME=SUBJECT-NAME
kubectl get rolebindings,clusterrolebindings -A -o json | jq -r ".items[] | select(.subjects[]?.name == \"${NAME}\") | .roleRef.name" | xargs -n1 kubectl describe clusterroles

  2. Get a list of user or group for a specific role:

    tanzu rbac binding get --role ROLE --namespace NAMESPACE
check-circle-line exclamation-circle-line close-line
Scroll to top icon