Fleets Permission and Cluster Access Management

Fleet overview #

A users must request a Fleet by raising a Knox Pumi request. refer to Kosmos onboarding guide A member of the Kosmos team will set up the Fleet and assign the appropriate quota based on your needs.

Requesting a fleet #

• You must have a Corp-AD account.
• Request a Fleet and Devspaces .

Once assigned, the Fleet will appear in your Kosmos account. Visit: https://console.kosmos.spcplatform.com/fleets

Fleet management #

Kosmos UI does not allow you to create or delete Fleets, but it does provide management capabilities for:

• Members Fleet members are users assigned by Kosmos Admins. You cannot add users yourself, but you can assign existing members to Fleet roles. To request new members, use: JIRA TICKET .

• Permissions Two ways to manage Fleet permissions:

  • Users → Assign Fleet roles to specific users.
  • Teams → Assign Fleet roles to Fleet Teams.

• Cluster Access

• Labels

Fleet info #

Click on a Fleet name to access the Fleet Info Dashboard, which includes:

• Clusters → List of all clusters in your Fleet.

• Cluster Roles → Set of cluster-wide permissions (like Kubernetes ClusterRole).

• Teams → Logical groups of users assigned access to multiple clusters or vclusters.

• Fleet Roles → Multi-cluster RBAC roles.

  • fleet-admin → Full access (all resources, all verbs).
  • fleet-editor → Create namespaces, deploy workloads, but limited cluster management.
  • fleet-viewer → Read-only access.
  • custom-fleet-role → Define your own permissions.

• Config → For details on Fleet policy, refer policy operator documentaion .

• Policy → For details on Fleet policy, refer policy operator documentaion .

• Labels → Key/value tags for organizing clusters. (e.g., env=dev, region=us-west, team=payments).

• OIDC → Integration with identity providers (MKS, GKE, Azure AD, EKS).

Fleet members management #

Add members #

1. Login to https://console.kosmos.spcplatform.com/dashboard .
2. Click Fleets in the left navigation panel.
3. Select your Fleet.

   

4. Click Edit Fleet.

   

5. In the Edit Fleet module, go to Members → Default Fleet Role.
6. Choose the desired role and click Add Users.

   

7. Select the user from the list, then click Update Fleet to save.

   

Edit members #

1. Click Fleets → select the Fleet.

2. Click the three dots (⋮) → Edit.

3. In Members section, you can:

   • Change the Default Fleet Role (dropdown).
   • Add users via Add User.

4. Save changes with Update Fleet.

Delete members #

1. Go to Fleets → select Fleet.
2. Click the three dots (⋮) → Edit.
3. In Members section, find the user to remove.
4. Click the Delete icon .
5. Save with Update Fleet.

FleetTeam management #

FleetTeams organize users, groups, and resources for easier access management across Fleets. Instead of assigning users directly to clusters, assign them to a FleetTeam, and the team inherits the permissions.

Create a FleetTeam #

1. Go to Fleet dashboard → select a Fleet.

   

2. Open the Teams tab.

   

3. Click Add Team.

   

4. Enter Team Name and Description.

   

5. Add members in the Team Members section.

   

6. Click Save.

   

Edit FleetTeam #

1. Open the Teams tab in your Fleet.
2. Click ⋮ → Edit.

   

3. Update details and click Save.

   

Delete FleetTeam #

1. Go to Fleets → select Fleet.
2. Open the Teams tab.
3. Select a FleetTeam (checkbox).
4. Click Delete → Confirm by entering Fleet name.

   

Note: If the deleted team still appears, refresh the page.

FleetRole management #

A FleetRole defines the actions users or teams can perform on fleet resources, such as FleetTeam, FleetClusterRoleTemplate, or EKSCluster. It primarily controls access to fleet metadata, for example viewing clusters or editing cluster specifications.

They work with:

• Fleet teams → who can act.
• Fleet labels → where they can act.
• Fleet roles → what they can do.

Predefined fleet roles #

• fleet-admin → Full access across all clusters.
• fleet-editor → Create/update workloads (limited admin rights).
• fleet-viewer → Read-only access.
• custom-fleet-role → Define your own verbs/resources.

Create a FleetRole #

1. Open Fleets → select Fleet.

   

2. Click the Fleet roles tab.

   

3. Click Add Fleet Role.

   

4. Enter Name and Description.

   

5. Add rules (resources + verbs). Example:

   • Create/list/delete → pods, services, deployments.

     

6. Click Save.

Delete a FleetRole #

1. Open Fleet roles tab.
2. Select the FleetRole → Click Delete.

   

3. Confirm by typing the FleetRole name → Click Delete.

   

Editing fleet permissions using YAML editor #

You can manage fleet permissions directly through the YAML editor.

1. In the Fleet list, click the three dots menu on the right side of your desired Fleet.

2. Select Show YAML.

   

3. The YAML editor window will open.

4. Make the necessary changes to update memberships or permissions.

5. Click the Update button to save your changes.

   

In this section

• Fleets Config Management
• Fleets Policy Management
  • Discover
  • Get Started
  • Best Practices
  • Apply Policies
  • Maintain Policies
  • Troubleshoot
  • References
  • Test Coverage

Edit this page on GitHub