User management

You can manage users in the Cloudfleet console. To access the user management page, navigate to the user management page.

You can invite your team members to your organization by entering their email addresses. You can also assign roles to users to control their access to your organization’s resources. For organizations requiring two-factor authentication (2FA) or centralized identity management, see Single Sign-On (SSO).

CFKE Security Model and Cloudfleet Roles

Cloudfleet provides two primitive roles to manage access to your organization’s resources:

  • Administrator
  • User

Administrators have full access to all resources in your organization. They can create and manage clusters, manage users, and manage API tokens, manage billing.

Users have limited access to your organization’s resources. They can only connect to clusters.

CFKE have full support for Kubernetes RBAC. When you create a user and grant them Administrator or User role on Cloudfleet, this is translated in the Kubernetes as cluster-admin and view roles respectively.

After granting view baseline role to a user, you can elevate this user’s permissions by granting additional roles in the Kubernetes RBAC.

Granting additional permissions with Kubernetes RBAC

Users with the User role receive baseline view permissions across the cluster. To grant a user elevated permissions in a specific namespace, create a RoleBinding that maps their identity to a Kubernetes role.

For example, to grant a user edit permissions in the development namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: developer-edit-binding
  namespace: development
subjects:
- kind: User
  name: [email protected]  # The user's email address
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: edit  # Built-in Kubernetes role with read/write access
  apiGroup: rbac.authorization.k8s.io

To grant the same permissions to all users in your organization, use a Group binding instead:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: team-edit-binding
  namespace: development
subjects:
- kind: Group
  name: system:authenticated  # All authenticated users
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io

Common built-in ClusterRoles you can reference:

  • view: Read-only access to most resources
  • edit: Read/write access to most resources in a namespace
  • admin: Full access within a namespace, including RBAC
  • cluster-admin: Full access to all resources (use with caution)

For more details on Kubernetes RBAC, see the Kubernetes RBAC documentation.

Invite a user

  1. Navigate to the user management page.
  2. Click the Invite button.
  3. Enter the email address of the user you want to invite.
  4. Click the Invite button.

The user will receive an email invitation to join your organization. Once they accept the invitation, they will be able to access your organization’s resources. New users are assigned the User role by default.

Next
API tokens →
On this page