AuthzClusterRole
An AuthzClusterRole defines a cluster-scoped authorization role containing a set of permitted actions. Cluster roles are available across all namespaces and can be referenced by both AuthzClusterRoleBinding and AuthzRoleBinding resources.
API Versionβ
openchoreo.dev/v1alpha1
Resource Definitionβ
Metadataβ
AuthzClusterRoles are cluster-scoped resources.
apiVersion: openchoreo.dev/v1alpha1
kind: AuthzClusterRole
metadata:
name: <role-name>
Spec Fieldsβ
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
actions | []string | Yes | - | List of actions this role permits. Supports wildcards (*, component:*). Minimum 1 item |
description | string | No | "" | Human-readable description of the role's purpose |
Actions Formatβ
Actions follow the resource:verb format. Supported patterns:
| Pattern | Meaning |
|---|---|
component:view | A specific action |
component:* | All actions for a resource type |
* | All actions on all resources |
Examplesβ
Platform Admin (Full Access)β
apiVersion: openchoreo.dev/v1alpha1
kind: AuthzClusterRole
metadata:
name: platform-admin
spec:
actions:
- "*"
description: "Platform administrator with full access to all resources"
Read-Only Viewerβ
apiVersion: openchoreo.dev/v1alpha1
kind: AuthzClusterRole
metadata:
name: viewer
spec:
actions:
- "namespace:view"
- "project:view"
- "component:view"
- "environment:view"
- "workflow:view"
- "dataplane:view"
description: "Read-only access to core resources"
Related Resourcesβ
- AuthzRole - Namespace-scoped role
- AuthzClusterRoleBinding - Bind subjects to cluster roles cluster-wide
- AuthzRoleBinding - Bind subjects to roles within a namespace