IAM API

IMPORTANT: Nested resource groups beyond a single level, along with resources (excluding ResourceGroups and OrgPermissionSets) created directly in the organization root resource group, are a legacy feature that will soon be removed and should already be considered unsupported.

Environment setup

See the Getting Started docs for how to download and log in to evroc's cloud.

Furthermore we recommend you have read Understanding evroc's cloud API, which explains how to get a configuration file for accessing our Kubernetes API.

Example organization setup

In this example we are going to setup an organization with the structure outlined below using the API. Our Organization consists of three users: Alice, Bob and Oscar.

  • Oscar is the Organization administrator who needs access to all ResourceGroups in the Organization in a consistent manner.
  • Alice should have access to the ResourceGroup named alpha.
  • Bob should have access to the ResourceGroup named beta.
organization
├── alpha
└── beta

Creating ResourceGroups

Start by creating the ResourceGroups named alpha and beta in the Organization:

$ kubectl apply -f - <<EOF
apiVersion: iam.evroclabs.net/v1alpha3
kind: ResourceGroup
metadata:
  name: alpha
  namespace: organization
EOF

$ kubectl apply -f - <<EOF
apiVersion: iam.evroclabs.net/v1alpha3
kind: ResourceGroup
metadata:
  name: beta
  namespace: organization
EOF

Which should return respectively :

resourcegroup.iam.evroclabs.net/alpha created

and

resourcegroup.iam.evroclabs.net/beta created

Viewing ResourceGroups

Check and see if the just created ResourceGroups are in a Ready state:

$ kubectl get resourcegroups -A
NAMESPACE             NAME             READY   REASON
organization          alpha            True    Ready
organization          beta             True    Ready

Managing permissions

Granting Organization-wide admin permissions to users

While we are still in the Organization context, we can create an OrgPermissionSet for Oscar to give Organization wide access to all ResourceGroups:

$ kubectl apply -f - <<EOF
apiVersion: iam.evroclabs.net/v1alpha3
kind: OrgPermissionSet
metadata:
  name: oscar
spec:
  admin: true
  subject:
    type: user
    user:
      email: oscar@organization.com
EOF

Which should return:

orgpermissionset.iam.evroclabs.net/oscar created

Granting admin permission to users to ResourceGroups

Navigate to the ResourceGroup named alpha by running the following command:

$ evroc iam resourcegroup cd alpha

While we are still inside the alpha ResourceGroup we can give access to Alice:

$ kubectl apply -f - <<EOF
apiVersion: iam.evroclabs.net/v1alpha3
kind: PermissionSet
metadata:
  name: alice
  namespace: alpha
spec:
  admin: true
  subject:
    type: user
    user:
      email: alice@organization.com
EOF

Which should return:

permissionset.iam.evroclabs.net/alice created

This PermissionSet will give Alice admin access to alpha ResourceGroup.

Because we are still in the alpha ResourceGroup, and we want to navigate to the beta ResourceGroup, we need to run the following commands:

$ evroc iam resourcegroup cd ..
$ evroc iam resourcegroup cd beta

Inside the beta ResourceGroup we can give user Bob admin access:

$ kubectl apply -f - <<EOF
apiVersion: iam.evroclabs.net/v1alpha3
kind: PermissionSet
metadata:
  name: bob
  namespace: beta
spec:
  admin: true
  subject:
    type: user
    user:
      email: bob@organization.com
EOF

Which should return:

permissionset.iam.evroclabs.net/bob created