Groups
A User may belong to one or more Groups. A Group is simply a way to collect Users according to whatever classification needed by the Cluster administrators (e.g. roles in a company such as DevOps or developers, different groupings of workloads, etc...). Groups can be especially useful for access control where you can apply Policies to a whole set of Users instead of trying to enforce them upon each one. Here is an example:
1kind: Group2metadata:3name: dev4spec: {}
And you can attach a Group to a User simply as follows:
1kind: User2metadata:3name: john4spec:5groups: ["dev"]
Policies
Policies (read more about Policies and access control here) can be created and/or attached to Groups where they can act as principal-based policies for all the Users belonging to a certain Group. Here is an example:
1kind: Group2metadata:3name: dev4spec:5authorization:6policies: ["policy-1", "policy-2"]7inlinePolicies:8- spec:9rules:10- effect: DENY11condition:12match: ctx.service.metadata.namespace == "production"