# Clusters with RBAC

Infra App is designed to work out of the box with RBAC-enabled environments. It assumes users have one of two roles:

* Full cluster access
* Single-namespace access

### Single Namespace access

#### Kubernetes configuration file

Infra App looks at the `context` entry the Kubernetes configuration file (KubeConfig) to know which namespace it should attempt to load for the user. For example:

```yaml
- context:
    cluster: gke_test-cluster-abcdefg_us-central1-c_cluster-1
    namespace: default # This tells Infra App which namespace to use
    user: gke_test-cluster-abcdefg_us-central1-c_cluster-1
  name: gke_test-cluster-abcdefg_us-central1-c_cluster-1-single-namespace
```

#### Required RBAC Rules

The configuration below outlines the permissions Infra App needs for a single-namespace user. Note that Infra App will work continue to work gracefully if users can't access the full list of resources.

```yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default #replace with your namespace
  name: example-role #replace with your role name
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log", "events", "services", "configmaps", "persistentvolumeclaims", "endpoints"]
  verbs: ["get", "watch", "list", "delete"]
- apiGroups: [""] # For pod shell access
  resources: ["pods/exec"]
  verbs: ["get", "watch", "create"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments", "replicasets", "statefulsets", "daemonsets"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["extensions", "batch"]
  resources: ["jobs", "cronjobs"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["extensions", "networking.k8s.io"] # For ingresses
  resources: ["ingresses"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["metrics.k8s.io"] # For metrics access
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
```