IAM and Role-Based Access Control

KKP components use OpenID Connect (OIDC) protocol for authentication and RBAC for authorization. By default, KKP provides Dex as OIDC provider, but you can configure your own provider. For more information, please refer to the OIDC provider chapter.

Authentication with Dex

Dex is an identity service that uses OIDC to drive authentication for KKP components. It acts as a portal to other identity providers through connectors. This lets Dex defer authentication to these connectors. Multiple connectors may be configured at the same time. Most popular are:

Check out the Dex documentation for a list of available providers and how to setup their configuration.

To configure Dex connectors, edit .dex.connectors in the values.yaml

Example to update or set up Github connector:

    - type: github
        id: github
        name: GitHub
        clientID: <client_id>
        clientSecret: <client_secret>
        redirectURI: https://<your-kkp.domain>/dex/callback
        - name: <your-github-org>

And apply the changes to the cluster:

./kubermatic-installer deploy --config kubermatic.yaml --helm-values values.yaml


Authorization is managed at multiple levels to ensure users only have access to authorized resources. KKP uses its own authorization system to control access to various resources within the platform, including projects and clusters. Administrators and project owners define and manage these policies and provide specific access control rules for users and groups.

The Kubernetes Role-Based Access Control (RBAC) system is also used to control access to user cluster level resources, such as namespaces, pods, and services. Please refer to Cluster Access to configure RBAC.

Kubermatic Kubernetes Platform (KKP) Users

There are two kinds of users in KKP: admin and non-admin users.

Admin users can manage settings that impact the whole Kubermatic installation and users. For example, they can set default values for cluster creation, like the number of machine Deployment’s replica or enforce some integrations, like Monitoring and logging stack on user clusters. All these settings are explained in detail in the Administration chapter. Moreover, KKP admins have access to all projects.

On the other hand, non-admin users only have access to the projects they are granted. The KKP role they are associated with determines their access level.

KKP Roles

A project is an entity that logically groups various resources. All resources in a project can be accessed by users that have the correct role associated with them. Affiliation of a user to one of the roles gives them certain powers they are allowed to use within a project.

There are three roles: owner, editor, and viewer. These roles are concentric; that is, the owner role includes the permissions of the editor role, and the editor role includes the permissions of the viewer role.

  • viewer: read-only access to see project resources
  • editor: can see the project content that the viewer can view and additionally can create, edit and delete clusters in the project
  • owner: can do everything that the editor can do and additionally manage permissions for the project

The following table summarizes the permissions

cluster 1RORWRW
cluster nodes (machineDeployment)RORWRW
K8s Dashboardpermission relies on Kubernetes cluster rbacpermission relies on Kubernetes cluster rbacpermission relies on Kubernetes cluster rbac
Web terminalXpermission relies on Kubernetes cluster rbacpermission relies on Kubernetes cluster rbac
RBAC (cluster)XRORO
system applicationsListRWRW
OPA Default ConstraintsListListList
OPA ConstraintsRORWRW
OPA Gatekeeper configRORWRW
MLA AlertManager configRORWRW
MLA Grafana UIgrafana organization viewergrafana organization editorgrafana organization editor
MLA alertermanager UIRWRWRW
project’s membersXXRW
project’s groupsXXRW
project’s service accountXXRW
etcd automatic backupRORWRW
etcd snapshotRORWRW
etcd restoreRORWRW
cluster TemplateRORWRW

KKP Service Accounts

A service account is a special type of user account that belongs to the KKP project, instead of to an individual end-user. A service account is considered as project’s resource. Only the owner of a project can create and update a service account. There is no need to create new groups for service accounts. It’s assigned to one of the already defined groups: editors or viewers.

  1. even owner can not change the settings enforced for the whole KKP installation. ↩︎