Group descriptions
This section describes the group definition, related properties, and RBAC.
Group properties
Groups are collections of resources. They are structured and have the following properties:
- name: It is unique identifier in the account that must contain the range of 1 and 32
upper or lower case letters,numbers,-, or_. - type: It is a label that is used to help the console to determine how to display the group.
- description: It is information about the group.
- policyVersion: It can be
static. - policy: It is used to add and remove members.
- status: It can be
activeordelete, indicating whether the group is deleted. - lastMemberUpdate: It is a timestamp that indicates when the server last added members to the group.
The group routes allow create, read, update, and delete operations on groups. See the swagger documentation for more details.
Static policies
For static groups, the policy field is treated as a list of modifications to perform. See the following example:
[
[{"field": "uid", "equal": "ABCD_default_k8sPod_my-pod-1"}],
[{"field": "uid", "equal": "ABCD_default_k8sPod_my-pod-2"}],
[{"field": "uid", "not": true, "equal": "ABCD_default_k8sPod_my-pod-3"}],
]
In this policy, resources of which the uids are ABCD_default_k8sPod_my-pod-1 and ABCD_default_k8sPod_my-pod-2 are added to the group, and ABCD_default_k8sPod_my-pod-3 is removed from the group.
Note: Members are not added or removed dynamically. They are only added or removed at the time that the server processes the request. This processing is relatively quick, but might not occur immediately if the server is busy with other tasks.
Group RBAC
Both cluster administrators and account administrators have full access to groups. Team administrators and operators only have access to view the groups that their team is granted access to. Groups are a mechanism to grant certain roles access to certain resources and to have a Cloud Resource Name (CRN) in Identity and Access Management (IAM) that can be assigned to teams.
| Role | Create | Modify | Delete | View |
|---|---|---|---|---|
| Cluster Administrator | Yes | Yes | Yes | Yes |
| Account Administrator | Yes | Yes | Yes | Yes |
| Team Administrator | Yes | Yes* | Yes* | Yes* |
| Operator | No | No | No | Yes* |
| Viewer | No | No | No | Yes* |
Note: * means that access is limited to groups that the user's teams are assigned to.