Grant Custom Resource Access¶
This guide covers configuring MonitorAccessPolicy resources to control access to custom resources collected by MetricSource.
Overview¶
Custom resources use implicit deny. A user cannot see any MetricSource-defined resource type unless a policy explicitly grants access. This provides a secure default — new MetricSource types are invisible until an administrator creates a policy for them.
Custom resource types are listed alongside built-in types in the resources list. The type field must match the MetricSource's rbac.resourceTypeName.
Prerequisites¶
- At least one
MetricSourcedeployed with anrbac.resourceTypeNameconfigured - Familiarity with
MonitorAccessPolicybasics (see Create Read-Only Policy)
Grant Full Access to a Custom Type¶
The simplest case — grant unrestricted read access to a custom resource type:
apiVersion: clusterpulse.io/v1alpha1
kind: MonitorAccessPolicy
metadata:
name: pvc-full-access
namespace: clusterpulse
spec:
identity:
priority: 100
subjects:
groups:
- storage-admins
access:
effect: Allow
enabled: true
scope:
clusters:
default: all
rules:
- selector:
matchPattern: .*
permissions:
view: true
viewMetrics: true
resources:
- type: pvc
visibility: all
The type: pvc must match the rbac.resourceTypeName in your MetricSource definition.
Filter by Namespace¶
Restrict which namespaces a user can see resources from:
resources:
- type: pvc
visibility: filtered
filters:
namespaces:
allowed:
- "app-*"
- "shared-*"
denied:
- "shared-admin"
denied takes precedence over allowed. Wildcards (*, ?) are supported.
Filter by Resource Name¶
Restrict which individual resources are visible:
resources:
- type: certificate
visibility: filtered
filters:
names:
allowed:
- "public-*"
denied:
- "*-internal"
Filter by Field Values¶
Filter resources by the values of extracted fields. Only fields listed in the MetricSource's rbac.filterableFields can be used.
resources:
- type: pvc
visibility: filtered
filters:
fields:
storageClass:
allowed:
- "gp3"
- "io2"
phase:
denied:
- "Failed"
Control Aggregation Visibility¶
Policies can restrict which aggregations a user sees. This is independent of aggregation recomputation — it controls the names exposed, not the values.
Include List (Whitelist)¶
Only these aggregations are visible:
Exclude List (Blacklist)¶
Hide specific aggregations:
include takes precedence — if both are set, only include is applied.
Combining Multiple Filters¶
Filters are evaluated in order: namespace, then name, then fields. A resource must pass all filters to be visible:
resources:
- type: pvc
visibility: filtered
filters:
namespaces:
allowed:
- "prod-*"
names:
denied:
- "*-temp"
fields:
phase:
allowed:
- "Bound"
storageClass:
allowed:
- "gp3"
aggregations:
include:
- total_pvcs
- total_capacity
This policy shows only PVCs that are:
- In namespaces matching prod-*
- Not named *-temp
- In Bound phase
- Using gp3 storage class
And only the total_pvcs and total_capacity aggregations are visible.
Multiple Custom Types in One Policy¶
Grant access to multiple types with different rules:
resources:
- type: pvc
visibility: all
- type: certificate
visibility: filtered
filters:
namespaces:
allowed:
- "app-*"
- type: cronjob
visibility: filtered
filters:
fields:
schedule:
denied:
- "* * * * *"
Types not listed remain invisible (implicit deny).
Complete Example¶
apiVersion: clusterpulse.io/v1alpha1
kind: MonitorAccessPolicy
metadata:
name: team-storage-access
namespace: clusterpulse
spec:
identity:
priority: 100
subjects:
groups:
- team-alpha
access:
effect: Allow
enabled: true
scope:
clusters:
default: filtered
rules:
- selector:
environment: production
permissions:
view: true
viewMetrics: true
resources:
- type: namespaces
visibility: filtered
filters:
names:
allowed:
- "alpha-*"
- type: pvc
visibility: filtered
filters:
namespaces:
allowed:
- "alpha-*"
fields:
storageClass:
allowed:
- "gp3"
aggregations:
include:
- total_pvcs
- total_capacity
- by_storage_class
- type: certificate
visibility: all
Aggregation Recomputation¶
When a MetricSource has rbac.filterAggregations: true (the default), aggregation values are automatically recomputed from the user's filtered resource set. For example, if a user can only see PVCs in alpha-* namespaces, the total_pvcs count reflects only those PVCs — not the cluster total.
This is separate from aggregation visibility. Even with recomputation, a policy can further hide specific aggregation names using aggregations.include or aggregations.exclude.
Verification¶
List Accessible Types¶
curl -s -H "Authorization: Bearer $TOKEN" \
https://clusterpulse.example.com/api/v1/custom-types | jq
Only types granted by the user's policy are returned.
Check Filtered Resources¶
curl -s -H "Authorization: Bearer $TOKEN" \
https://clusterpulse.example.com/api/v1/clusters/my-cluster/custom/pvc | jq
Check Aggregations¶
curl -s -H "Authorization: Bearer $TOKEN" \
"https://clusterpulse.example.com/api/v1/custom-types/clusters?type=pvc&include_aggregations=true" | jq
Troubleshooting¶
Custom Type Not Visible¶
- Verify the MetricSource exists and has
rbac.resourceTypeNameset - Confirm the policy includes a
resourcesentry with the matchingtypeandvisibilitynot set tonone - Check that the policy applies to the user (correct subjects, priority, enabled)
Resources Filtered More Than Expected¶
- Review namespace, name, and field filters — all must pass
- Check for higher-priority
Denypolicies - Use the permissions endpoint to see effective rules:
Aggregations Missing¶
- Verify the aggregation name matches the MetricSource definition
- Check if the policy uses
aggregations.include— unlisted names are hidden - Confirm
filterAggregationsis not causing empty results (no resources match after filtering)
Next Steps¶
- Create a MetricSource - Define the resource type to collect
- Filter by Namespace - Namespace filtering for built-in and custom resources
- RBAC Model - Full RBAC architecture reference
- Policy Evaluation - How policies are evaluated