Restrict access to specific users and groups
Restrict Che access to specific users and groups so that you can enforce access policies and limit the platform to authorized teams.
-
An active
kubectlsession with administrative permissions to the destination Kubernetes cluster. See Overview of kubectl.
-
Configure the
CheClusterCustom Resource. See Using the CLI to configure the CheCluster Custom Resource.spec: networking: auth: advancedAuthorization: allowUsers: - <allow_users> (1) allowGroups: - <allow_groups> (2) denyUsers: - <deny_users> (3) denyGroups: - <deny_groups> (4)1 List of users allowed to access Eclipse Che. 2 List of groups of users allowed to access Eclipse Che (for OpenShift Container Platform only). 3 List of users denied access to Eclipse Che. 4 List of groups of users denied access to Eclipse Che (for OpenShift Container Platform only). If a user is on both
allowanddenylists, access is denied. IfallowUsersandallowGroupsare empty, all users are allowed except the ones on thedenylists. IfdenyUsersanddenyGroupsare empty, only the users fromallowlists are allowed. If bothallowanddenylists are empty, all users are allowed. -
Wait for the rollout of the Che server components to complete.
-
Log in to the Che dashboard as a user on the
allowUserslist and verify access to the dashboard. -
Log in as a user on the
denyUserslist and verify that Che returns a403 Forbiddenresponse.