# Tenant RBAC - More granular than Azure RBAC # Fine-grained permissions beyond Azure's role-based access # Tenant Owner Role - Full control over tenant apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: tenant-owner namespace: tenant-template rules: - apiGroups: [""] resources: ["*"] verbs: ["*"] - apiGroups: ["apps"] resources: ["*"] verbs: ["*"] - apiGroups: ["networking.k8s.io"] resources: ["*"] verbs: ["*"] --- # Tenant Admin Role - Administrative access apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: tenant-admin namespace: tenant-template rules: - apiGroups: [""] resources: ["pods", "services", "configmaps", "secrets", "persistentvolumeclaims"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["apps"] resources: ["deployments", "statefulsets", "daemonsets"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["networking.k8s.io"] resources: ["networkpolicies", "ingresses"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] --- # Tenant User Role - Standard access apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: tenant-user namespace: tenant-template rules: - apiGroups: [""] resources: ["pods", "services", "configmaps"] verbs: ["get", "list", "watch", "create", "update", "patch"] - apiGroups: ["apps"] resources: ["deployments", "statefulsets"] verbs: ["get", "list", "watch", "create", "update", "patch"] --- # Tenant Viewer Role - Read-only access apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: tenant-viewer namespace: tenant-template rules: - apiGroups: [""] resources: ["*"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["*"] verbs: ["get", "list", "watch"] --- # Tenant Billing Admin Role - Billing management apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: tenant-billing-admin namespace: tenant-template rules: - apiGroups: [""] resources: ["pods", "services"] verbs: ["get", "list", "watch"] # Read-only for billing calculations - apiGroups: ["apps"] resources: ["deployments", "statefulsets"] verbs: ["get", "list", "watch"] --- # RoleBinding Template # This would be created per tenant user # NOTE: This is a template file. USER_EMAIL_PLACEHOLDER should be replaced with actual user email # when creating RoleBindings. Use the tenant RBAC automation script or controller to process this template. apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tenant-user-binding-template namespace: tenant-template roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: tenant-user # Change based on user role (tenant-owner, tenant-admin, tenant-user, tenant-viewer, tenant-billing-admin) subjects: - kind: User name: "USER_EMAIL_PLACEHOLDER" # Replace with actual user email (e.g., user@example.com) apiGroup: rbac.authorization.k8s.io