Docs: Authorization - Granting user access to API resources #1383
Description
We need documentation that explains how to grant users access to API resources provided by installed packages through RBAC authorization.
This will enable users, other than cluster admins themselves, to create custom resource objects for consuming the provided API from installed operators/cluster extensions.
Specifically, the documentation covers:
1. Create default ClusterRoles for API/CRD access (if not provided by the bundle itself):
- Default "view" ClusterRole: Grants users permission to view all custom resource objects/instances of specified API resources across the cluster.
- Default "edit" ClusterRole: Allows users to modify all custom resource objects/instances of specified API resources within the cluster.
- Default "admin" ClusterRole: Provides users with full permissions over all custom resource objects/instances of specified API resources in the cluster.
2. Grant user access to API resources:
- Option 1: Binding default ClusterRoles to users:
- ClusterRoleBinding: Grants users' permissions across all namespaces.
- RoleBinding: Grants users' permissions within a specific namespace.
- Option 2: Extending default Kubernetes roles:
- Aggregation Labels: By adding aggregation labels to custom resource definitions, users with existing RoleBinding or ClusterRoleBinding for default Kubernetes roles automatically gain access to equivalent "view/edit/admin" ClusterRoles for the provided APIs/CRDs.