VM User Roles and Permissions
You must configure roles and role binding before any user, including you as administrator, can access Palette Virtual Machine Orchestrator (VMO). There are two sets of roles: Cluster Roles and Palette Roles, along with the required bindings configuration.
Palette provides the following four out-of-the-box Cluster roles for Palette Virtual Machine Orchestrator. The table also lists the corresponding Palette roles.
| Cluster Role | Description | Restrictions | Palette Role |
|---|---|---|---|
spectro-vm-admin | Has admin privileges to manage the Kubernetes cluster, VMs, and templates. | None | Cluster Admin or Editor Cluster Profile Admin or Editor Virtual Machine Admin |
spectro-vm-power-user | Can perform most VM operations, but does not handle infrastructure aspects. | Cannot manage or administer the Kubernetes cluster. Cannot manage or update VM templates. | Cluster Viewer Virtual Machine Power User |
spectro-vm-user | Primarily uses VMs created by others. | Cannot launch new VMs or clone existing ones. Cannot delete VMs. Cannot migrate VMs from one node to another. | Cluster Viewer Virtual Machine User |
spectro-vm-viewer | A view-only role. | Cannot perform any of the operations offered to the above users. | Cluster Viewer Virtual Machine Viewer |
These roles are currently only relevant to access Palette Virtual Machine Orchestrator APIs. To access the Virtual Machines console, users must have permissions to access the host clusters. These permissions can be granted through the default Kubernetes roles Admin/Editor/Viewer.
You can create additional roles based on the permissions granularity that Palette offers. Palette provides the ability to specify bindings to configure granular Role-Based Access Control (RBAC) rules.
You can configure namespaces and RBAC from within a cluster or from a Palette workspace that contains a cluster group. In a cluster group, all RoleBindings must occur at the namespace level. For details, review the Cluster RBAC and workspace RBAC guides.
Palette leverages Regex Pattern matching so you can select multiple namespaces to apply role bindings. Check out Regex for Namespaces to learn more.