Custom ClusterRoleBindings

Our NETWAYS Managed Kubernetes clusters are provisioned with predefined ClusterRoleBindings that assign NWS‑ID user groups to the appropriate roles.

If more specific permissions are required, custom NWS‑ID groups can be assigned to individual roles via ClusterRoleBindings.

A custom group receives the authentication token through the custom role in the Permission Settings of a user group (in the Customer Center).

After activation, the users are added to the Kubernetes group <organization-id>-<groupname> (e.g. 12345-myGroup).

1. Retrieve your groups with kubectl auth whoami and check whether the custom group is available.

   Warning

   You may need to delete cached kubectl tokens with the following command:

   kubectl oidc-login get-token --force-refresh
   

2. Create a new ClusterRoleBinding in the desired cluster. In the example below, the group 12345-myGroup is assigned the cluster-admin role:

   ---
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: myCustomBinding
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: cluster-admin
   subjects:
     - apiGroup: rbac.authorization.k8s.io
       kind: Group
       name: nwsid-group:12345-myGroup
   

Further Links

• General information about NWS‑ID
• Managing users in MyNWS
• Managing user groups in MyNWS
• Managing organizations in MyNWS
• Reference: Permissions in MyNWS