A User may belong to one or more Groups. A Group is simply a way to collect Users according to whatever classification needed by the Cluster administrators (e.g. roles in a company such as DevOps or developers, different groupings of workloads, etc...). Groups can be especially useful for access control where you can apply Policies to a whole set of Users instead of trying to enforce them upon each one. Here is an example:
1kind: Group2metadata:3name: dev4spec: {}
And you can attach a Group to a User simply as follows:
1kind: User2metadata:3name: john4spec:5groups: ["dev"]
Policies
Policies (read more about Policies and access control here) can be created and/or attached to Groups where they can act as principal-based policies for all the Users belonging to a certain Group. Here is an example:
1kind: Group2metadata:3name: dev4spec:5authorization:6policies: ["policy-1", "policy-2"]7inlinePolicies:8- spec:9rules:10- effect: DENY11condition:12match: ctx.service.metadata.namespace == "production"
Attributes
You can extend the information of a Group by feeding it additional information manually or dynamically via the APIs (read more here) from external sources (e.g. IAM platforms, SIEM tools, threat intelligence tools, incident alerting and on-call management tools, etc...). Such additional information can be especially useful for extending access control and making it as fine-grained and dynamic as you wish (read more here). Here is an example:
1kind: Group2metadata:3name: admins4spec:5attrs:6isPrivileged: true7priority: 10008googleWorkspace:9isAdmin: true10someKey:11key1: val112key2: 10013key3: true14key4:15subKey1: subVal1
The attrs
field is also available for Users, Services and Namespaces.