Cluster Policy Example

Policy on the cluster::/ realm lets a requestor with a valid access token read metrics on cluster resources, for example, using the Cluster Dashboard. Without such policy cluster metrics cannot be viewed.

Cluster permissions

The permissions available on the cluster::/ realm include the following:

cluster::/ {
  if (permit == all) {
    permit read
    permit update
  }
}

The update permission is reserved for future use. Assigning it has no effect.

Cluster example 1

The following policy grants all cluster permissions to members of the admin role:

cluster::/ {
  if (role == "admin") {
    permit all
  }
}

Cluster example 2

The following policy grants all cluster permissions to any authenticated user:

on cluster::/ {
  { permit all }
}

This is the case because the condition check is omitted. To limit who can read cluster metrics, you must implement a condition check.

Cluster example 3

The Cluster Dashboard in the web console is intendend to provide cluster-wide statistics (RAM and Disk). You cannot pick a particular namespace in this area of the UI.

Since the dashboard gives users a full view of the cluster, those who need to see the Resources stats (RAM and Disk) at the Cluster screen will need permit read on the job resource for the root namespace. Without such policy the statistics at the Cluster screen will be empty.

The following policy will allow all users to view Resources statistics at the Cluster screen:

on cluster::/ {
  { permit read }
}

on job::/ {
  { permit read }
}

Note that the above policy will also allow all users to view all jobs in the cluster as well.