Role-Based Access Control (RBAC)
Atmosly provides fine-grained Kubernetes RBAC management, allowing you to create roles, assign users, and control access to cluster resources with time-bound validity.
Accessing the RBAC Section
- Navigate to the specific cluster.
- Go to the RBAC section from the left menu.
Default Roles
Atmosly provides three pre-built roles that cover common access patterns:
Cluster Admin
- API Groups: All (
*) - Resources: All (
*) - Actions: All (
*) - Namespaces: All (
*) - Description: Full unrestricted access to all resources in all namespaces
Read Only
- API Groups: All (
*) - Resources: All (
*) - Actions:
get,list,watch - Namespaces: All (
*) - Description: Read-only access to view all resources without modification
DevOps
- API Groups: Core, Apps, Batch, Networking, Storage, Autoscaling, Discovery, Scheduling, Policy, argoproj.io
- Resources: Pods, Deployments, Services, Jobs, CronJobs, Ingresses, Workflows, Applications, and 30+ more
- Actions:
get,list,watch,create,update,patch,delete - Namespaces: All (
*) - Description: Full application management with read-only access to cluster-level resources
Creating a Custom Role
- Click the Create Roles button in the top-left corner of the RBAC section.
- Fill in the required fields:
| Field | Description |
|---|---|
| Role Name | A unique name for the role |
| Namespace | The namespace scope for the role. Leave blank to create a cluster-wide role. Only namespaces created via Atmosly infrastructure are displayed. Select * for all namespaces. |
| API Group | Select the relevant Kubernetes API group(s) |
| Resources | Choose resources based on the selected API group |
| Actions | Define the allowed operations (verbs) |
| User | Select one or more users to assign to the role |
| Duration | Set the role's validity period |
Available API Groups
| API Group | Example Resources |
|---|---|
| Core (empty string) | Pods, Services, ConfigMaps, Secrets, PersistentVolumeClaims, Namespaces, Nodes, ServiceAccounts |
| Apps | Deployments, StatefulSets, DaemonSets, ReplicaSets |
| Batch | Jobs, CronJobs |
| Networking (networking.k8s.io) | Ingresses, NetworkPolicies |
| RBAC (rbac.authorization.k8s.io) | Roles, RoleBindings, ClusterRoles, ClusterRoleBindings |
| Storage (storage.k8s.io) | StorageClasses, VolumeAttachments |
| Policy | PodDisruptionBudgets, PodSecurityPolicies |
| Autoscaling | HorizontalPodAutoscalers |
Available Actions
| Action | Description |
|---|---|
get | Retrieve a specific resource |
list | List all resources of a type |
watch | Watch for changes to resources |
create | Create new resources |
update | Modify existing resources |
patch | Partially modify resources |
delete | Remove resources |
Duration Options
| Option | Description |
|---|---|
| 8 hours | Short-term access for debugging or troubleshooting |
| 1 Day | Day-long access for development tasks |
| 1 Week | Week-long access for sprint-based work |
| Forever | Permanent access until manually revoked |
| Custom Date | Select a specific expiration date using the date picker |
- Click Create to finalize the role.
Managing Roles
After creating a role:
- View the list of created roles with their assignments and expiration.
- Click the Add option next to the role name to perform additional actions.
- Download kubeconfig — Download a kubeconfig file pre-configured with the role's service account credentials.
- Resend via email — Send the kubeconfig file to assigned users via email.
Kubeconfig Access
When a role is created, Atmosly:
- Creates a Kubernetes service account and binds it to the role.
- Generates a kubeconfig file with the service account token.
- Stores the cluster endpoint and CA certificate for the user.
- Makes the kubeconfig available for download or email distribution.
Users can use the downloaded kubeconfig to access the cluster directly via kubectl:
kubectl --kubeconfig=<downloaded-file> get pods
Permissions
To manage RBAC roles, your Atmosly user role must have the RBAC Management permission enabled. This includes the ability to create, view, update, and delete roles. Contact your organization admin if you need access.