Groups

A User may belong to one or more Groups. A Group is simply a way to collect Users according to whatever classification needed by the Cluster administrators (e.g. roles in a company such as DevOps or developers, different groupings of workloads, etc...). Groups can be especially useful for access control where you can apply Policies to a whole set of Users instead of trying to enforce them upon each one. Here is an example:

1
kind: Group
2
metadata:
3
name: dev
4
spec: {}

And you can attach a Group to a User simply as follows:

1
kind: User
2
metadata:
3
name: john
4
spec:
5
groups: ["dev"]

Policies

Policies (read more about Policies and access control here) can be created and/or attached to Groups where they can act as principal-based policies for all the Users belonging to a certain Group. Here is an example:

1
kind: Group
2
metadata:
3
name: dev
4
spec:
5
authorization:
6
policies: ["policy-1", "policy-2"]
7
inlinePolicies:
8
- spec:
9
rules:
10
- effect: DENY
11
condition:
12
match: ctx.service.metadata.namespace == "production"

Attributes

You can extend the information of a Group by feeding it additional information manually or dynamically via the APIs (read more here) from external sources (e.g. IAM platforms, SIEM tools, threat intelligence tools, incident alerting and on-call management tools, etc...). Such additional information can be especially useful for extending access control and making it as fine-grained and dynamic as you wish (read more here). Here is an example:

1
kind: Group
2
metadata:
3
name: admins
4
spec:
5
attrs:
6
isPrivileged: true
7
priority: 1000
8
googleWorkspace:
9
isAdmin: true
10
someKey:
11
key1: val1
12
key2: 100
13
key3: true
14
key4:
15
subKey1: subVal1
NOTE

The attrs field is also available for Users, Services and Namespaces.

© 2025 octelium.comOctelium Labs, LLCAll rights reserved
Octelium and Octelium logo are trademarks of Octelium Labs, LLC.
WireGuard is a registered trademark of Jason A. Donenfeld