Restricting Spinnaker users to particular Namespace

#1

HI Spinnaker Gurus,

Thanks, We want to restrict users to the namespace level and we have multiple teams working in the same k8 cluster with the stack-driver and we want to restrict users

  • Based on the Namespace which he has access.

  • user with the particular namespace has only access to see and deploy in that namespace and not other namespace and application.

Is there is any best way to restrict the permission for the multiple namespace and users as we have more than 100+ namespace and 1000+ users to be managed with the Authorization apart from RBAC.

Any input is highly appreciated.

0 Likes

#2

have you reviewed this:
https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/

there’s a section/howto about separating dev from pod…

0 Likes

#3

Spinnaker Accounts (e.g. “my-kubernetes-account”) can be k8s service accounts (spinnaker.io) which can be restricted to specific namespaces (kubernetes.io). You can then have fiat enforce group permissions on that Spinnaker Account.

I want to point out that this accomplishes what you want, however restricting users at Account level is a fallback that is not a good experience. For example, a pipeline will kick off, then fail at the Deploy stage because the user that the pipeline is running as doesn’t have permission to the Account used in that Deploy. We’re working on making this more graceful.

0 Likes