3.8 KiB
| title |
|---|
| vela auth grant-privileges |
Grant privileges for user/group/serviceaccount
Synopsis
Grant privileges for user
Grant privileges to user/group/serviceaccount. By using --for-namespace and --for-cluster, you can grant all read/write privileges for all resources in the specified namespace and cluster. If --for-namespace is not set, the privileges will be granted cluster-wide.
Setting --create-namespace will automatically create namespace if the namespace of the granted privilege does not exists. By default, this flag is not enabled and errors will be returned if the namespace is not found in the corresponding cluster.
Setting --readonly will only grant read privileges for all resources in the destination. This can be useful if you want to give somebody the privileges to view resources but do not want to allow them to edit any resource.
If multiple identity information are set, all the identity information will be bond to the intended privileges respectively.
If --kubeconfig is set, the user/serviceaccount information in the kubeconfig will be used as the identity to grant privileges. Groups will be ignored.
vela auth grant-privileges
Examples
# Grant privileges for User alice in the namespace demo of the control plane
vela auth grant-privileges --user alice --for-namespace demo
# Grant privileges for User alice in the namespace demo in cluster-1, create demo namespace if not exist
vela auth grant-privileges --user alice --for-namespace demo --for-cluster cluster-1 --create-namespace
# Grant cluster-scoped privileges for Group org:dev-team in the control plane
vela auth grant-privileges --group org:dev-team
# Grant privileges for Group org:dev-team and org:test-team in the namespace test on the control plane and managed cluster example-cluster
vela auth grant-privileges --group org:dev-team --group org:test-team --for-namespace test --for-cluster local --for-cluster example-cluster
# Grant read privileges for ServiceAccount observer in test namespace on the control plane
vela auth grant-privileges --serviceaccount observer -n test --for-namespace test --readonly
# Grant privileges for identity in kubeconfig in cluster-1
vela auth grant-privileges --kubeconfig ./example.kubeconfig --for-cluster cluster-1
Options
--create-namespace If set, non-exist namespace will be created automatically.
-e, --env string The environment name for the CLI request
--for-cluster strings The clusters privileges to grant. If empty, the control plane will be used.
--for-namespace strings The namespaces privileges to grant. If empty, cluster-scoped privileges will be granted.
-g, --group strings The group to grant privileges.
-h, --help help for grant-privileges
--kubeconfig string The kubeconfig to grant privileges. If set, it will override all the other identity flags.
-n, --namespace --serviceaccount The namespace of the serviceaccount. This flag only works when --serviceaccount is set.
--readonly If set, only read privileges of resources will be granted. Otherwise, read/write privileges will be granted.
--serviceaccount string The serviceaccount to grant privileges.
-u, --user string The user to grant privileges.
Options inherited from parent commands
-V, --verbosity Level number for the log level verbosity
-y, --yes Assume yes for all user prompts
SEE ALSO
- vela auth - Manage identity and authorizations.