Add docs for new RBAC feature to access the instance namespace

TheBigLee · TheBigLee · commit c1e766655e16 · 2024-08-09T15:33:40.000+02:00
Signed-off-by: Nicolas Bigler &lt;nicolas.bigler@vshn.ch&gt;
diff --git a/docs/modules/ROOT/pages/vshn-managed/keycloak/security.adoc b/docs/modules/ROOT/pages/vshn-managed/keycloak/security.adoc
@@ -23,4 +23,35 @@ spec:
 ----
 
 <1> List of namespaces to be allowed to access Keycloak
-<2> Allows access to Keycloak from any namespace in the cluster. Supersedes `allowedNamespaces` if true.
+<2> Allows access to Keycloak from any namespace in the cluster. Supersedes `allowedNamespaces` if true.
+
+== Namespace RBAC
+
+On APPUiO Cloud, every member of the same organization to which the claim namespace belongs to has limited access to the namespace for debugging and port-fowarding.
+
+On APPUiO Managed, we don't have this construct and no RBAC rules are deployed by default.
+
+However, it is possible to specify a list of `Groups` or `Users`that should have that limited access to the namespace.
+This can be done using the two fields `allowedGroups` and `allowedUsers`:
+
+[source,yaml]
+----
+apiVersion: vshn.appcat.vshn.io/v1
+kind: VSHNKeycloak
+metadata:
+  name: keycloak-app1-prod
+  namespace: prod-app
+spec:
+  parameters:
+    security:
+      allowedGroups:  # <1>
+        - my-dev-engineers
+        - my-support-engineers
+      allowedGroups:  # <2>
+        - my-special-user
+  writeConnectionSecretToRef:
+    name: keycloak-creds-connection
+----
+
+<1> List of groups to be allowed limited access to the Keycloak namespace
+<2> List of users to be allowed limited access to the Keycloak namespace
diff --git a/docs/modules/ROOT/pages/vshn-managed/mariadb/security.adoc b/docs/modules/ROOT/pages/vshn-managed/mariadb/security.adoc
@@ -23,4 +23,35 @@ spec:
 ----
 
 <1> List of namespaces to be allowed to access MariaDB
-<2> Allows access to MariaDB from any namespace in the cluster. Supersedes `allowedNamespaces` if true.
+<2> Allows access to MariaDB from any namespace in the cluster. Supersedes `allowedNamespaces` if true.
+
+== Namespace RBAC
+
+On APPUiO Cloud, every member of the same organization to which the claim namespace belongs to has limited access to the namespace for debugging and port-fowarding.
+
+On APPUiO Managed, we don't have this construct and no RBAC rules are deployed by default.
+
+However, it is possible to specify a list of `Groups` or `Users`that should have that limited access to the namespace.
+This can be done using the two fields `allowedGroups` and `allowedUsers`:
+
+[source,yaml]
+----
+apiVersion: vshn.appcat.vshn.io/v1
+kind: VSHNMariaDB
+metadata:
+  name: mariadb-app1-prod
+  namespace: prod-app
+spec:
+  parameters:
+    security:
+      allowedGroups:  # <1>
+        - my-dev-engineers
+        - my-support-engineers
+      allowedGroups:  # <2>
+        - my-special-user
+  writeConnectionSecretToRef:
+    name: mariadb-creds-connection
+----
+
+<1> List of groups to be allowed limited access to the MariaDB namespace
+<2> List of users to be allowed limited access to the MariaDB namespace
diff --git a/docs/modules/ROOT/pages/vshn-managed/nextcloud/security.adoc b/docs/modules/ROOT/pages/vshn-managed/nextcloud/security.adoc
@@ -8,7 +8,7 @@ To access Nextcloud from other namespaces the service must be configured.
 [source,yaml]
 ----
 apiVersion: vshn.appcat.vshn.io/v1
-kind: VSHNKNextcloud
+kind: VSHNNextcloud
 metadata:
   name: nextcloud-app1-prod
   namespace: prod-app
@@ -23,4 +23,35 @@ spec:
 ----
 
 <1> List of namespaces to be allowed to access Nextcloud
-<2> Allows access to Nextcloud from any namespace in the cluster. Supersedes `allowedNamespaces` if true.
+<2> Allows access to Nextcloud from any namespace in the cluster. Supersedes `allowedNamespaces` if true.
+
+== Namespace RBAC
+
+On APPUiO Cloud, every member of the same organization to which the claim namespace belongs to has limited access to the namespace for debugging and port-fowarding.
+
+On APPUiO Managed, we don't have this construct and no RBAC rules are deployed by default.
+
+However, it is possible to specify a list of `Groups` or `Users`that should have that limited access to the namespace.
+This can be done using the two fields `allowedGroups` and `allowedUsers`:
+
+[source,yaml]
+----
+apiVersion: vshn.appcat.vshn.io/v1
+kind: VSHNNextcloud
+metadata:
+  name: nextcloud-app1-prod
+  namespace: prod-app
+spec:
+  parameters:
+    security:
+      allowedGroups:  # <1>
+        - my-dev-engineers
+        - my-support-engineers
+      allowedGroups:  # <2>
+        - my-special-user
+  writeConnectionSecretToRef:
+    name: nextcloud-creds-connection
+----
+
+<1> List of groups to be allowed limited access to the Nextcloud namespace
+<2> List of users to be allowed limited access to the Nextcloud namespace
diff --git a/docs/modules/ROOT/pages/vshn-managed/postgresql/security.adoc b/docs/modules/ROOT/pages/vshn-managed/postgresql/security.adoc
@@ -23,4 +23,35 @@ spec:
 ----
 
 <1> List of namespaces to be allowed to access PostgreSQL
-<2> Allows access to PostgreSQL from any namespace in the cluster. Supersedes `allowedNamespaces` if true.
+<2> Allows access to PostgreSQL from any namespace in the cluster. Supersedes `allowedNamespaces` if true.
+
+== Namespace RBAC
+
+On APPUiO Cloud, every member of the same organization to which the claim namespace belongs to has limited access to the namespace for debugging and port-fowarding.
+
+On APPUiO Managed, we don't have this construct and no RBAC rules are deployed by default.
+
+However, it is possible to specify a list of `Groups` or `Users`that should have that limited access to the namespace.
+This can be done using the two fields `allowedGroups` and `allowedUsers`:
+
+[source,yaml]
+----
+apiVersion: vshn.appcat.vshn.io/v1
+kind: VSHNPostgreSQL
+metadata:
+  name: postgres-app1-prod
+  namespace: prod-app
+spec:
+  parameters:
+    security:
+      allowedGroups:  # <1>
+        - my-dev-engineers
+        - my-support-engineers
+      allowedGroups:  # <2>
+        - my-special-user
+  writeConnectionSecretToRef:
+    name: postgres-creds-connection
+----
+
+<1> List of groups to be allowed limited access to the PostgreSQL namespace
+<2> List of users to be allowed limited access to the PostgreSQL namespace
diff --git a/docs/modules/ROOT/pages/vshn-managed/redis/security.adoc b/docs/modules/ROOT/pages/vshn-managed/redis/security.adoc
@@ -23,4 +23,35 @@ spec:
 ----
 
 <1> List of namespaces to be allowed to access Redis
-<2> Allows access to Redis from any namespace in the cluster. Supersedes `allowedNamespaces` if true.
+<2> Allows access to Redis from any namespace in the cluster. Supersedes `allowedNamespaces` if true.
+
+== Namespace RBAC
+
+On APPUiO Cloud, every member of the same organization to which the claim namespace belongs to has limited access to the namespace for debugging and port-fowarding.
+
+On APPUiO Managed, we don't have this construct and no RBAC rules are deployed by default.
+
+However, it is possible to specify a list of `Groups` or `Users`that should have that limited access to the namespace.
+This can be done using the two fields `allowedGroups` and `allowedUsers`:
+
+[source,yaml]
+----
+apiVersion: vshn.appcat.vshn.io/v1
+kind: VSHNRedis
+metadata:
+  name: redis-app1-prod
+  namespace: prod-app
+spec:
+  parameters:
+    security:
+      allowedGroups:  # <1>
+        - my-dev-engineers
+        - my-support-engineers
+      allowedGroups:  # <2>
+        - my-special-user
+  writeConnectionSecretToRef:
+    name: redis-creds-connection
+----
+
+<1> List of groups to be allowed limited access to the Redis namespace
+<2> List of users to be allowed limited access to the Redis namespace
