Skip to main content
Version: v0.17.x

AuthzClusterRoleBinding

An AuthzClusterRoleBinding connects a subject (identified by a JWT claim-value pair) to an AuthzClusterRole, granting or denying the role's permissions across all resources in the cluster.

API Version

openchoreo.dev/v1alpha1

Resource Definition

Metadata

AuthzClusterRoleBindings are cluster-scoped resources.

apiVersion: openchoreo.dev/v1alpha1
kind: AuthzClusterRoleBinding
metadata:
  name: <binding-name>

Spec Fields

FieldTypeRequiredDefaultDescription
entitlementEntitlementClaimYes-Subject identification from JWT claims
roleRefRoleRefYes-Reference to the cluster role to bind
effectstringNoallowallow or deny

EntitlementClaim

FieldTypeRequiredDescription
claimstringYesJWT claim name (e.g., groups, sub, email)
valuestringYesJWT claim value to match (e.g., platformEngineer)

RoleRef

FieldTypeRequiredDescription
kindstringYesMust be AuthzClusterRole
namestringYesName of the AuthzClusterRole to bind
important

AuthzClusterRoleBindings can only reference AuthzClusterRole resources, not namespace-scoped AuthzRole resources. This is enforced by a validation rule on the resource.

Examples

Grant Admin Access to a Group

apiVersion: openchoreo.dev/v1alpha1
kind: AuthzClusterRoleBinding
metadata:
  name: platform-admins-binding
spec:
  entitlement:
    claim: groups
    value: platformEngineer
  roleRef:
    kind: AuthzClusterRole
    name: platform-admin
  effect: allow

Grant Viewer Access to a Service Account

apiVersion: openchoreo.dev/v1alpha1
kind: AuthzClusterRoleBinding
metadata:
  name: backstage-reader-binding
spec:
  entitlement:
    claim: sub
    value: openchoreo-backstage-client
  roleRef:
    kind: AuthzClusterRole
    name: viewer
  effect: allow

Deny Access Cluster-Wide

apiVersion: openchoreo.dev/v1alpha1
kind: AuthzClusterRoleBinding
metadata:
  name: block-contractors
spec:
  entitlement:
    claim: groups
    value: contractors
  roleRef:
    kind: AuthzClusterRole
    name: platform-admin
  effect: deny