Skip to content


Within workspaces, KCP implements the same RBAC-based authorization mechanism as Kubernetes. Other authorization schemes (i.e. ABAC) are not supported. Generally, the same (cluster) role and (cluster) role binding principles apply exactly as in Kubernetes.

In addition, additional RBAC semantics is implemented cross-workspaces, namely the following:

  • Top-Level Organization access: the user must have this as pre-requisite to access any other workspace, or is even member and by that can create workspaces inside the organization workspace.
  • Workspace Content access: the user needs access to a workspace or is even admin.
  • for some resources, additional permission checks are performed, not represented by local or Kubernetes standard RBAC rules. E.g.
  • workspace creation checks for organization membership (see above).
  • workspace creation checks for use verb on the WorkspaceType.
  • API binding via APIBinding objects requires verb bind access to the corresponding APIExport.
  • System Workspaces access: system workspaces are prefixed with system: and are not accessible by users.

The details are outlined below.


The following authorizers are configured in kcp:

Authorizer Description
Top-Level organization authorizer checks that the user is allowed to access the organization
Workspace content authorizer determines additional groups a user gets inside of a workspace
Maximal permission policy authorizer validates the maximal permission policy RBAC policy in the API exporter workspace
Local Policy authorizer validates the RBAC policy in the workspace that is accessed
Kubernetes Bootstrap Policy authorizer validates the RBAC Kubernetes standard policy

They are related in the following way:

  1. top-level organization authorizer must allow
  2. workspace content authorizer must allow, and adds additional (virtual per-request) groups to the request user influencing the follow authorizers.
  3. maximal permission policy authorizer must allow
  4. one of the local authorizer or bootstrap policy authorizer must allow.
                                                                                 │              │
                                                                           ┌────►│ Local Policy ├──┐
          ┌──────────────┐     ┌──────────────┐    ┌───────────────────┐   │     │ authorizer   │  │
 request  │  Workspace   │     │  Required    │    │ Max. Permission   │   │     │              │  │
─────────►│  Content     ├────►│  Groups      ├────┤ Policy authorizer ├───┤     └──────────────┘  │
          │  Authorizer  │     │  Authorizer  │    │                   │   │                       ▼
          └──────────────┘     └──────────────┘    └───────────────────┘   │                       OR───►
                                                                           │     ┌──────────────┐  ▲
                                                                           │     │  Bootstrap   │  │
                                                                           └────►│  Policy      ├──┘
                                                                                 │  authorizer  │
                                                                                 │              │

ASCIIFlow document

Workspace Content authorizer

The workspace content authorizer checks whether the user is granted access to the workspace. Access is granted access through verb=access non-resource permission to / inside of the workspace.

The ClusterRole system:kcp:workspace:access is pre-defined which makes it easy to give a user access through a ClusterRoleBinding inside of the workspace.

For example, to give a user user1 access, create the following ClusterRoleBinding:

kind: ClusterRoleBinding
  name: example-access
- kind: User
  name: user1
  kind: ClusterRole
  name: system:kcp:workspace:access

To give a user user1 admin access, create the following ClusterRoleBinding:

kind: ClusterRoleBinding
  name: example-admin
- kind: User
  name: user1
  kind: ClusterRole
  name: cluster-admin

A service-account defined in a workspace implicitly is granted access to it.

A service-account defined in a differant workspace is NOT given access to it.

Required Groups Authorizer

A annotation can be added to a LogicalCluster to specify additional groups that are required to access a workspace for a user to be member of. The syntax is a disjunction (separator ,) of conjunctions (separator ;).

For example, <group1>;<group2>,<group3> means that a user must be member of <group1> AND <group2>, OR of <group3>.

The annotation is copied onto sub-workspaces during scheduling.

Initializing Workspaces

By default, workspaces are only accessible to a user if they are in Ready phase. Workspaces that are initializing can be access only by users that are granted admin verb on the workspaces/content resource in the parent workspace.

Service accounts declared within a workspace don't have access to initializing workspaces.

Maximal permission policy authorizer

If the requested resource type is part of an API binding, then this authorizer verifies that the request is not exceeding the maximum permission policy of the related API export. Currently, the "local policy" maximum permission policy type is supported.

Local policy

The local maximum permission policy delegates the decision to the RBAC of the related API export. To distinguish between local RBAC role bindings in that workspace and those for this these maximum permission policy, every name and group is prefixed with


Given an API binding for type foo declared in workspace consumer that refers to an API export declared in workspace provider and a user user-1 having the group group-1 requesting a create of foo in the default namespace in the consumer workspace, this authorizer verifies that user-1 is allowed to execute this request by delegating to provider's RBAC using prefixed attributes.

Here, this authorizer prepends the prefix to the username and all groups the user belongs to. Using prefixed attributes prevents RBAC collisions i.e. if user-1 is granted to execute requests within the provider workspace directly.

For the given example RBAC request looks as follows:

  • Username:
  • Group:
  • Resource: foo
  • Namespace: default
  • Workspace: provider
  • Verb: create

The following role and role binding declared within the provider workspace will grant access to the request:

kind: Role
  name: foo-creator
  clusterName: provider
- apiGroups:
  - foo.api
  - foos
  - create
kind: RoleBinding
  name: user-1-foo-creator
  namespace: default
  clusterName: provider
- kind: User
  kind: Role
  name: foo-creator


The same authorization scheme is enforced when executing the request of a claimed resource via the virtual API Export API server, i.e. a claimed resource is bound to the same maximal permission policy. Only the actual owner of that resources can go beyond that policy.

TBD: Example

Kubernetes Bootstrap Policy authorizer

The bootstrap policy authorizer works just like the local authorizer but references RBAC rules defined in the system:admin system workspace.

Local Policy authorizer

Once the top-level organization authorizer and the workspace content authorizer granted access to a workspace, RBAC rules contained in the workspace derived from the request context are evaluated.

This authorizer ensures that RBAC rules contained within a workspace are being applied and work just like in a regular Kubernetes cluster.


Groups added by the workspace content authorizer can be used for role bindings in that workspace.

It is possible to bind to roles and cluster roles in the bootstrap policy from a local policy RoleBinding or ClusterRoleBinding.

Service Accounts

Kubernetes service accounts are granted access to the workspaces they are defined in and that are ready.

E.g. a service account "default" in root:org:ws:ws is granted access to root:org:ws:ws, and through the workspace content authorizer it gains the system:kcp:clusterworkspace:access group membership.