Groups

A User may belong to one or more Groups. A Group is simply a way to collect Users according to whatever classification needed by the Cluster administrators (e.g. roles in a company such as DevOps or developers, different groupings of workloads, etc...). Groups can be especially useful for access control where you can apply Policies to a whole set of Users instead of trying to enforce them upon each one. Here is an example:

1kind: Group
2metadata:
3  name: dev
4spec: {}

And you can attach a Group to a User simply as follows:

1kind: User
2metadata:
3  name: john
4spec:
5  groups: ["dev"]

Policies

Policies (read more about Policies and access control here) can be created and/or attached to Groups where they can act as principal-based policies for all the Users belonging to a certain Group. Here is an example:

1kind: Group
2metadata:
3  name: dev
4spec:
5  authorization:
6    policies: ["policy-1", "policy-2"]
7    inlinePolicies:
8      - spec:
9          rules:
10            - effect: DENY
11              condition:
12                match: ctx.service.metadata.namespace == "production"

Attributes

You can extend the information of a Group by feeding it additional information manually or dynamically via the APIs (read more here) from external sources (e.g. IAM platforms, SIEM tools, threat intelligence tools, incident alerting and on-call management tools, etc...). Such additional information can be especially useful for extending access control and making it as fine-grained and dynamic as you wish (read more here). Here is an example:

1kind: Group
2metadata:
3  name: admins
4spec:
5  attrs:
6    isPrivileged: true
7    priority: 1000
8    googleWorkspace:
9      isAdmin: true
10    someKey:
11      key1: val1
12      key2: 100
13      key3: true
14      key4:
15        subKey1: subVal1

NOTE

The attrs field is also available for Users, Services and Namespaces.