Docs
Kubernetes
IAM
Cluster Roles

Kubernetes Cluster Roles

Overview

Thalassa Cloud provides a IAM system that spans multiple layers:

  1. Platform IAM: Controls access to Thalassa Cloud’s platform features and API
  2. Kubernetes IAM: Manages Kubernetes RBAC rules through our API
  3. Kubernetes RBAC: The actual implementation in your clusters

This document focuses on the Kubernetes IAM layer, which allows you to define fine-grained RBAC rules for your Kubernetes clusters through our API.

Available Cluster Roles

We support a set of system defined Kubernetes ClusterRole’s. Among others, the cluster-admin role is available. You can define your own custom roles for Kubernetes as well.

Role Bindings

Thalassa Cloud’s Kubernetes IAM system allows you to define RBAC rules through our API. These rules are then automatically available for your Kubernetes clusters. The process works as follows:

  1. You define RBAC rules through the Thalassa Cloud API.
  2. Our platform stores these rules in the Kubernetes IAM system.
  3. Thalassa Cloud Kubernetes clusters call the Platform API to make authorization decisions.

Creating Role Bindings

  1. Navigate to the IAM section in the Thalassa Cloud Console, under Kubernetes.
  2. Select “Kubernetes Roles”
  3. Choose the cluster role you want to assign
  4. Add users or teams to the role binding
  5. Save the changes

The platform will automatically ensure the users receive their RBAC rules.

Best Practices

  1. Use Teams: Instead of assigning roles to individual users, create teams and assign roles to teams. This makes management easier and more scalable.
  2. Regular Audits: Periodically review role bindings to ensure they still reflect current requirements.
  3. Least Privilege: Always assign the minimum required permissions. Start with the most restrictive role and add permissions only if necessary.
  4. Documentation: Document the purpose and scope of each role binding for future reference.