Kubernetes Cluster Roles

Cluster roles in Thalassa Cloud’s Kubernetes IAM system determine what users and teams can do in your Kubernetes clusters. You manage cluster roles centrally through the Thalassa Cloud platform, and Kubernetes integrates with the external Kubernetes IAM service.

How Cluster Roles Work

You assign cluster roles to users or teams through the Thalassa Cloud Console or API. Thalassa Cloud stores these assignments in Kubernetes IAM, and Kubernetes integrates with the external IAM service. When users make requests to the cluster, Kubernetes queries the IAM service to determine permissions in real-time. Changes take effect immediately—no synchronization delay.

Three-Layer Access Control

Thalassa Cloud uses three layers for access control:

1. Platform IAM - Controls access to Thalassa Cloud itself (creating clusters, using the console, managing infrastructure).
2. Kubernetes IAM - Platform-level system for managing Kubernetes cluster access. You assign cluster roles here, and the platform handles the rest.
3. Kubernetes RBAC - The native access control system inside clusters. For details about RBAC, see the Kubernetes RBAC documentation.

When you update permissions in Kubernetes IAM, Kubernetes queries the updated permissions from the IAM service in real-time for each request. Changes take effect immediately across all clusters.

Predefined and Custom Cluster Roles

Thalassa Cloud’s Kubernetes IAM includes several predefined cluster roles that map to standard Kubernetes ClusterRoles:

• cluster-admin: Full control over everything in the cluster. Maps to Kubernetes’ cluster-admin ClusterRole. Use rarely and only for trusted administrators.
• edit: Can change most resources, but not cluster security or RBAC. Maps to Kubernetes’ edit ClusterRole.
• view: Can see most resources, but can’t change them. Maps to Kubernetes’ view ClusterRole.

If none of the predefined roles fit your needs, you can create custom cluster roles using the Thalassa Cloud API. Custom roles let you define exactly what permissions users should have, and Thalassa Cloud will create the corresponding Kubernetes ClusterRole with those permissions. This gives you granular control while still managing access at the platform level.

Assigning Cluster Roles

In Kubernetes IAM, you assign cluster roles to users or teams through the Thalassa Cloud platform. When you make an assignment, Kubernetes will query the IAM service to enforce these permissions.

Assign via Console

1. Open the Thalassa Cloud Console.
2. Go to IAM → Kubernetes → Role Bindings.
3. Click “Create Role Binding” or “Assign Role”.
4. Choose a role (like view or cluster-admin), and pick which user or team to assign it to.
5. Save. The change takes effect immediately in all clusters.

Assign via API

• Use the Thalassa Cloud API if you want to script or automate role assignments. See Thalassa Cloud’s API documentation for details.
• You’ll specify both the target user/team and the desired cluster role. The API creates the Kubernetes IAM assignment, which Kubernetes then queries Thalassa Kubernetes IAM for authorization decisions.

How Kubernetes IAM Integrates with Clusters

Thalassa Cloud’s Kubernetes IAM uses the external Kubernetes IAM service. When you assign cluster roles through Kubernetes IAM, Kubernetes queries the Thalassa Cloud service to determine user permissions. This integration happens in real-time—there’s no synchronization delay because Kubernetes checks permissions directly with the IAM service for each request.

You don’t need to manage RBAC resources directly in clusters. Thalassa Cloud’s Kubernetes IAM service handles authentication and authorization through Thalassa Kubernetes IAM, ensuring consistent access control across all your clusters.

Verifying and Troubleshooting Access

After assigning cluster roles, verify access is working:

1. Check in Console: Navigate to IAM → Kubernetes → Role Bindings. Confirm role assignments appear for the correct team or user.

2. Validate in Cluster: Connect to a cluster and test that the integration is working:

3. Test permissions:

   kubectl auth can-i get pods
   kubectl auth can-i create deployments

Custom Roles

If predefined roles don’t fit your needs, you can create custom cluster roles using the Thalassa Cloud API. Custom roles let you define exactly what permissions users should have. The role definition follows standard Kubernetes RBAC format, specifying API groups, resources, and verbs. When you create a custom role through Kubernetes IAM, Kubernetes queries the IAM service to enforce these permissions.

For more information about Kubernetes RBAC concepts and how to define roles, see the official Kubernetes RBAC documentation.

Summary

Cluster roles in Thalassa Cloud’s Kubernetes IAM system provide a centralized way to manage access across all your Kubernetes clusters. The predefined roles cover most common use cases, while custom roles provide flexibility for specific requirements. Team-based assignments simplify management and scale well as your organisation grows.

For more information about the overall Kubernetes IAM system, see the Kubernetes IAM documentation. For details about managing teams and users, see the IAM documentation. For understanding how Kubernetes RBAC works inside clusters, see the Kubernetes RBAC documentation.