Skip to main content
logoTetrate Service BridgeVersion: next

Role

Role is a named collection of permissions that can be assigned to any user or team in the system. The set of actions that can be performed by a user, such as the ability to create, delete, or update configuration will depend on the permissions associated with the user's role. Roles are global resources that are defined once. AccessBindings in each configuration group will bind a user to a specific role defined apriori.

TSB comes with the following predefined roles:

RolePermissionsDescription
rbac/admin*Grants full access to the target resource and its child objects
rbac/editorRead Write CreateGrants read/write access to a resource and allows creating child resources
rbac/creatorRead CreateUseful to delegate access to a resource without giving write access to the object itself. Users with this role will be able to manage sub-resources but not the resource itself
rbac/writerRead WriteGrants Read and Write access permissions
rbac/readerReadGrants read-only permissions to a resource

The following example declares a custom workspace-admin role with the ability to create, delete configurations and the ability to set RBAC policies on the groups within the workspace.

apiVersion: rbac.tsb.tetrate.io/v2
kind: Role
metadata:
name: role1
spec:
rules:
- types:
- apiGroup: api.tsb.tetrate.io/v2
kinds:
- WorkspaceSetting
permissions:
- CREATE
- READ
- DELETE
- WRITE
- SET_POLICY

Role

Role is a named collection of permissions that can be assigned to any user or team in the system.

FieldDescriptionValidation Rule

rules

List of tetrateio.api.tsb.rbac.v2.Role.Rule
A set of rules that define the permissions associated with each API group.

repeated = {
  min_items: 1
}

ResourceType

The type of API resource for which the role is being created.

FieldDescriptionValidation Rule

apiGroup

string
REQUIRED
A specific API group such as traffic.tsb.tetrate.io/v2.

string = {
  min_len: 1
}

kinds

List of string
Specific kinds of APIs under the API group. If omitted, the role will apply to all kinds under the group.

scopedAt

List of tetrateio.api.tsb.rbac.v2.Role.ScopeType
The list of parent types where the defined kinds will be scoped under. If omitted, no scope limitation is applied.

Rule

A rule defines the set of api groups

FieldDescriptionValidation Rule

types

List of tetrateio.api.tsb.rbac.v2.Role.ResourceType
The set of API groups and the api Kinds within the group on which this rule is applicable. If omitted, the permissions will globally apply to all resource types.

permissions

List of tetrateio.api.tsb.rbac.v2.Permission
REQUIRED
The set of actions allowed for these APIs. The current version supports requires the kind, but this constraint will be relaxed in upcoming releases so that rules can apply globally to an entire API group.

repeated = {
  min_items: 1
}

ScopeType

FieldDescriptionValidation Rule

apiGroup

string
REQUIRED
A specific API group such as traffic.tsb.tetrate.io/v2.

string = {
  min_len: 1
}

kind

string
REQUIRED
Specific kind of API under the API group.

string = {
  min_len: 1
}