The Multicluster Role Assignment Operator is a Kubernetes operator that manages role-based access control (RBAC) across multiple clusters in a multicluster environment. It provides a declarative way to assign cluster roles to users and groups across multiple managed clusters.
This operator simplifies the management of RBAC policies in multicluster environments by providing:
- Centralized RBAC Management: Define role assignments once and apply them across multiple clusters
- Flexible Cluster Selection: Target specific clusters for role assignments
- Namespace-scoped Permissions: Control access to specific namespaces within target clusters
- Declarative Configuration: Use Kubernetes custom resources to define and manage role assignments
- Status Reporting: Monitor the status of role assignments across all target clusters
Creating MulticlusterRoleAssignment resources will create ClusterPermission resources which in turn creates the RBAC resources in the targeted managed clusters. The RBAC resources can be ClusterRoleBinding or RoleBinding. For more information on ClusterPermission resources, refer to the ClusterPermission repo.
- Kubernetes cluster (1.25+)
- Open Cluster Management hub cluster
- Managed clusters registered with the hub
kubectlconfigured to access your cluster
-
Install the operator:
kubectl apply -k config/default
-
Verify the installation:
kubectl get pods -n multicluster-role-assignment-system
Create a MulticlusterRoleAssignment to grant a user view access to specific clusters:
apiVersion: rbac.open-cluster-management.io/v1alpha1
kind: MulticlusterRoleAssignment
metadata:
name: developer-view-access
namespace: open-cluster-management-global-set
spec:
subject:
kind: User
name: jane.developer
apiGroup: rbac.authorization.k8s.io
roleAssignments:
- name: view-access
clusterRole: view
targetNamespaces:
- development
- staging
clusterSelection:
type: clusterNames
clusterNames:
- cluster-east
- cluster-westThis example:
- Grants the user
jane.developertheviewcluster role - Applies the role to the
developmentandstagingnamespaces - Targets the
cluster-eastandcluster-westmanaged clusters
The MulticlusterRoleAssignment custom resource defines role assignments across multiple clusters. The referenced role must exist on the managed clusters.
| Field | Type | Description | Required |
|---|---|---|---|
subject |
rbacv1.Subject |
The user or group for the role assignment | Yes |
roleAssignments |
[]RoleAssignment |
List of role assignments for different clusters | Yes |
| Field | Type | Description | Required |
|---|---|---|---|
name |
string |
Name of the role assignment | Yes |
clusterRole |
string |
Name of the cluster role to assign | Yes |
targetNamespaces |
[]string |
Namespaces to apply the role (all if empty) | No |
clusterSelection |
ClusterSelection |
Cluster selection criteria | Yes |
| Field | Type | Description | Required |
|---|---|---|---|
type |
string |
Type of cluster selection (currently only clusterNames) |
Yes |
clusterNames |
[]string |
List of cluster names to target | Yes |
The operator reports the status of each role assignment, including:
- Overall conditions for the
MulticlusterRoleAssignment - Individual status for each role assignment (Pending, Active, Error)
- Detailed messages for troubleshooting
apiVersion: rbac.open-cluster-management.io/v1alpha1
kind: MulticlusterRoleAssignment
metadata:
name: admin-multi-role
spec:
subject:
kind: User
name: admin-user
apiGroup: rbac.authorization.k8s.io
roleAssignments:
- name: prod-admin
clusterRole: admin
targetNamespaces:
- production
clusterSelection:
type: clusterNames
clusterNames:
- prod-cluster-1
- prod-cluster-2
- name: dev-edit
clusterRole: edit
targetNamespaces:
- development
clusterSelection:
type: clusterNames
clusterNames:
- dev-cluster-1- Go 1.24+
- Kubernetes cluster for testing
-
Clone the repository:
git clone https://github.com/stolostron/multicluster-role-assignment.git cd multicluster-role-assignment -
Install dependencies:
go mod download
-
Run tests:
make test -
Run the operator locally:
make install run
-
Build the operator image:
make docker-build IMG=<your-registry>/multicluster-role-assignment:latest
-
Push the image:
make docker-push IMG=<your-registry>/multicluster-role-assignment:latest
-
Deploy to cluster:
make deploy IMG=<your-registry>/multicluster-role-assignment:latest
make help- Display available make targetsmake test- Run unit testsmake build- Build the operator binarymake docker-build- Build the container imagemake install- Install CRDs to the clustermake deploy- Deploy the operator to the clustermake undeploy- Remove the operator from the clustermake manifests- Generate CRD and RBAC manifestsmake generate- Generate code (DeepCopy methods)
We welcome contributions! Please see our Contributing Guidelines for details on:
- Code of conduct
- Development process
- Submitting pull requests
- Reporting issues
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests for new functionality
- Run the test suite
- Submit a pull request
-
Role assignments not appearing on target clusters:
- Verify the target clusters are registered as ManagedClusters
- Check the operator logs for connection issues
- Ensure the specified cluster names match the ManagedCluster names
-
Permission denied errors:
- Verify the operator has the necessary RBAC permissions
- Check that the target cluster roles exist
- Ensure the subject (user/group/SA) is valid
-
Status shows "Error" for role assignments:
- Check the detailed message in the status
- Verify network connectivity to target clusters
- Ensure the target namespaces exist
- The operator requires cluster-admin privileges to manage RBAC across clusters
- Role assignments are applied with the permissions of the operator's service account
- Ensure proper network policies and access controls are in place
- Regularly audit role assignments and their usage