Skip to main content
Version: Next

AuthzClusterRoleBinding

An AuthzClusterRoleBinding connects a subject (identified by a JWT claim-value pair) to an AuthzClusterRole, granting or denying the role's permissions across all resources in the cluster.

API Version​

openchoreo.dev/v1alpha1

Resource Definition​

Metadata​

AuthzClusterRoleBindings are cluster-scoped resources.

apiVersion: openchoreo.dev/v1alpha1
kind: AuthzClusterRoleBinding
metadata:
  name: <binding-name>

Spec Fields​

FieldTypeRequiredDefaultDescription
entitlementEntitlementClaimYes-Subject identification from JWT claims
roleRefRoleRefYes-Reference to the cluster role to bind
effectstringNoallowallow or deny

EntitlementClaim​

FieldTypeRequiredDescription
claimstringYesJWT claim name (e.g., groups, sub, email)
valuestringYesJWT claim value to match (e.g., platformEngineer)

RoleRef​

FieldTypeRequiredDescription
kindstringYesMust be AuthzClusterRole
namestringYesName of the AuthzClusterRole to bind
important

AuthzClusterRoleBindings can only reference AuthzClusterRole resources, not namespace-scoped AuthzRole resources. This is enforced by a validation rule on the resource.

Examples​

Grant Admin Access to a Group​

apiVersion: openchoreo.dev/v1alpha1
kind: AuthzClusterRoleBinding
metadata:
  name: platform-admins-binding
spec:
  entitlement:
    claim: groups
    value: platformEngineer
  roleRef:
    kind: AuthzClusterRole
    name: platform-admin
  effect: allow

Grant Viewer Access to a Service Account​

apiVersion: openchoreo.dev/v1alpha1
kind: AuthzClusterRoleBinding
metadata:
  name: backstage-reader-binding
spec:
  entitlement:
    claim: sub
    value: openchoreo-backstage-client
  roleRef:
    kind: AuthzClusterRole
    name: viewer
  effect: allow

Deny Access Cluster-Wide​

apiVersion: openchoreo.dev/v1alpha1
kind: AuthzClusterRoleBinding
metadata:
  name: block-contractors
spec:
  entitlement:
    claim: groups
    value: contractors
  roleRef:
    kind: AuthzClusterRole
    name: platform-admin
  effect: deny