Configuring cluster roles for Che users

You can grant Che users more cluster permissions by adding cluster roles to those users.

Prerequisites

  • An active kubectl session with administrative permissions to the destination Kubernetes cluster. See Overview of kubectl.

Procedure

  1. Define the user roles name:

    $ USER_ROLES=<name> (1)
    1 Unique resource name.

  2. Find out the namespace where the Che Operator is deployed:

    $ OPERATOR_NAMESPACE=$(kubectl get pods -l app.kubernetes.io/component=che-operator -o jsonpath={".items[0].metadata.namespace"} --all-namespaces)

  3. Create needed roles:

    $ kubectl apply -f - <<EOF
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ${USER_ROLES}
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
rules:
  - verbs:
      - <verbs> (1)
    apiGroups:
      - <apiGroups> (2)
    resources:
      - <resources> (3)
EOF
    1 As <verbs>, list all Verbs that apply to all ResourceKinds and AttributeRestrictions contained in this rule. You can use * to represent all verbs.
    2 As <apiGroups>, name the APIGroups that contain the resources.
    3 As <resources>, list all resources that this rule applies to. You can use * to represent all verbs.

  4. Delegate the roles to the Che Operator:

    $ kubectl apply -f - <<EOF
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ${USER_ROLES}-operator
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
subjects:
  - kind: ServiceAccount
    name: che-operator
    namespace: ${OPERATOR_NAMESPACE}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ${USER_ROLES}
EOF

  5. Configure the Che Operator to delegate the roles to the che service account:

    $ kubectl patch checluster eclipse-che \
  --patch '{"spec": {"components": {"cheServer": {"clusterRoles": ["'${USER_ROLES}'"]}}}}' \
  --type=merge -n eclipse-che

  6. Configure the Che server to delegate the roles to a user:

    $ kubectl patch checluster eclipse-che \
  --patch '{"spec": {"devEnvironments": {"user": {"clusterRoles": ["'${USER_ROLES}'"]}}}}' \
  --type=merge -n eclipse-che

  7. Wait for the rollout of the Che server components to be completed.

  8. Ask the user to log out and log in to have the new roles applied.