selfhosted
/
coder
mirror of https://github.com/coder/coder.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

initial work for byoc

This commit is contained in:
Ben 2024-04-24 14:14:08 +00:00
parent 88dbeb21a8
commit 49cf1cd3d4
3 changed files with 88 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
docs/admin/tiered-rbac.md → docs/admin/rabbit/README.md
View File

@ -7,8 +7,8 @@ Tiered RBAC is a suite of features that improves Coder's security posture for hi
This includes:
- Organizations
- Service Accounts
- Custom Roles
- Custom Token Scopes
## Organizations
@ -21,6 +21,10 @@ There are several use cases for this:
Users can belong to multiple organizations. Workspaces, templates, provisioners, and groups are scoped to a single organization.
## Service Accounts
Service accounts can be used for CI jobs, third-party integrations, and other automation. Unlike other accounts in Coder, service accounts do not consume a license seat or have an OIDC/password login method, so they cannot be used to log in to the Coder UI.
## Custom Roles
Custom roles can be created to give users a granular set of permissions within the Coder deployment or organization.
@ -28,12 +32,19 @@ Custom roles can be created to give users a granular set of permissions within t
There are several cases for this:
- The "Banking Compliance Auditor" custom role cannot create workspaces, but can read template source code and view audit logs
- The "Team Lead" role can access user workspaces for trobuleshooting but cannot edit templates
- The "Team Lead" role can access user workspaces for troubleshooting purposes, but cannot edit templates
- The "Platform Member" role cannot edit or create workspaces as they are created via a third-party system
## Custom Token Scopes
Custom roles can also be applied to service accounts:
Custom Token scopes are functionally the same as custom roles, but are designed for service accounts and CI jobs
- A "Health Check" role can view deployment status but cannot create workspaces, manage templates, or view users
- A "CI" role can update manage templates but cannot create workspaces or view users
- A "Health Check" token can view deployment status but cannot create workspaces, manage templates, or view users
- A "CI" token can update manage templates but cannot create workspaces or view users
---
### Recipes
Learn how to use tiered RBAC with concrete examples.
- [Bring your own cluster](#): Allow different groups to bring their own Kubernetes cluster into Coder, or optionally build their own templates on entirely different infrastructure.
- [Shared workspaces](#): Allow users to share workspaces with other users in the same organization.

57
docs/admin/rabbit/guides/byoc.md Normal file
View File

@ -0,0 +1,57 @@
# Bring your own cluster
Allow different groups to bring their own Kubernetes cluster into Coder, or optionally build their own templates on entirely different infrastructure.
## Prerequisites
- A Coder deployment with [tiered RBAC](../README.md) enabled
## Tutorial
Not inside a list:
<div class="tabs">
## UI
## CLI
## HCL
```hcl
provider "coderd" {}
resource "coderd_organization" {
name = "data-science"
description = "Lorem ipsum"
}
```
</div>
Text below it
1. Inside a list
<div class="tabs">
## UI
## CLI
## HCL
```hcl
provider "coderd" {}
resource "coderd_organization" {
name = "data-science"
description = "Lorem ipsum"
}
```
</div>
For optimal auditing and self-service, we recommend managing organizations with infrastructure as code (HCL).
1. idk

15
docs/manifest.json
View File

@ -1,5 +1,7 @@
{
"versions": ["main"],
"versions": [
"main"
],
"routes": [
{
"title": "About",
@ -328,6 +330,17 @@
"path": "./admin/README.md",
"icon_path": "./images/icons/wrench.svg",
"children": [
{
"title": "Tiered RBAC",
"description": "Granular access control",
"path": "./admin/rabbit/README.md",
"children": [
{
"title": "Bring Your Own Cluster",
"path": "./admin/rabbit/guides/byoc.md"
}
]
},
{
"title": "Authentication",
"description": "Learn how to set up authentication using GitHub or OpenID Connect",