# Setting Up Kubernetes RBAC for SSO User Groups on PCD Workload Clusters

### Problem <a href="#overview" id="overview"></a>

When SSO users access a PCD workload cluster, they need Kubernetes RBAC bindings that map their SSO group memberships to cluster permissions. This guide shows how to grant access to SSO groups using Kubernetes `ClusterRoleBinding` or `RoleBinding` resources.

### Environment

* Private Cloud Director Kubernetes – v2026.1 and Higher

### Prerequisites <a href="#prerequisites" id="prerequisites"></a>

* A workload cluster created in PCD
* SSO configured in your PCD deployment
* `kubectl` access to the workload cluster (or access to the PCD UI RBAC section)

### Default ClusterRoles <a href="#default-clusterroles" id="default-clusterroles"></a>

Every PCD workload cluster ships with the standard Kubernetes ClusterRoles that you can reference in your bindings:

| ClusterRole     | Permissions                                                                                            |
| --------------- | ------------------------------------------------------------------------------------------------------ |
| `cluster-admin` | Full access to all resources in all namespaces                                                         |
| `admin`         | Read/write access to most resources in a namespace (excludes resource quotas and the namespace itself) |
| `edit`          | Read/write access to common workload resources (Deployments, Services, ConfigMaps, etc.)               |
| `view`          | Read-only access to most resources in a namespace                                                      |

### Default Tenant RBAC <a href="#default-tenant-rbac" id="default-tenant-rbac"></a>

PCD automatically creates four `ClusterRoleBindings` in each workload cluster for the tenant that owns it:

<table><thead><tr><th width="272.0390625">ClusterRoleBinding</th><th width="202.58984375">ClusterRole</th><th>Group</th></tr></thead><tbody><tr><td><code>kaapi-cluster-admin-binding</code></td><td><code>cluster-admin</code></td><td><code>&#x3C;du>-&#x3C;domain>-&#x3C;tenant>-admin</code></td></tr><tr><td><code>kaapi-cluster-member-binding</code></td><td><code>cluster-admin</code></td><td><code>&#x3C;du>-&#x3C;domain>-&#x3C;tenant>-member</code></td></tr><tr><td><code>kaapi-cluster-reader-binding</code></td><td><code>view</code></td><td><code>&#x3C;du>-&#x3C;domain>-&#x3C;tenant>-reader</code></td></tr><tr><td><code>kaapi-node-reader-binding</code></td><td><code>kaapi-node-reader</code></td><td><code>&#x3C;du>-&#x3C;domain>-&#x3C;tenant>-reader</code></td></tr></tbody></table>

Group names follow the pattern `<du>-<domain>-<tenant>-<role>`, where `<du>` is the deployment unit name (e.g. `mydu`), `<domain>` is the domain name in the PCD (e.g. `default`), `<tenant>` is the tenant name, and `<role>` is one of `admin`, `member`, or `reader`.

You can inspect your own groups by running:

```bash
kubectl auth whoami -o yaml
```

Users assigned to the tenant in PCD automatically receive access through these bindings based on their tenant role. **No extra steps are required for tenant users.**

### Granting Access to Additional SSO Groups <a href="#granting-access-to-additional-sso-groups" id="granting-access-to-additional-sso-groups"></a>

If you need to grant cluster access to SSO users who are **not** part of the owning tenant, create a binding that references their SSO group name.

There are two types of groups you may encounter:

* **PCD tenant groups** — Automatically created by PCD, following the naming pattern `<du>-<domain>-<tenant>-<role>` (e.g. `mydu-default-app-admin`). Use these when granting access to users who already belong to a different PCD tenant.
* **External SSO groups** — Defined in your identity provider (Okta, Azure AD, etc.) and passed through in the token's `groups` claim (e.g. `app-team`). Use these when granting access to users managed outside of PCD's tenant model.

The examples below use an external SSO group called `app-team`.

#### Option A: Cluster-wide access via ClusterRoleBinding <a href="#option-a-cluster-wide-access-via-clusterrolebinding" id="option-a-cluster-wide-access-via-clusterrolebinding"></a>

Grant the SSO group `app-team` read-only access across the entire cluster:

```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: app-team-view
subjects:
- kind: Group
  name: app-team
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
```

```bash
kubectl apply -f app-team-view.yaml
```

#### Option B: Namespace-scoped access via RoleBinding <a href="#option-b-namespace-scoped-access-via-rolebinding" id="option-b-namespace-scoped-access-via-rolebinding"></a>

Grant the SSO group `app-team` edit access only in the `app` namespace:

```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: app-team-edit
  namespace: app
subjects:
- kind: Group
  name: app-team
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
```

```bash
kubectl apply -f app-team-edit.yaml
```

> **Note:** You can reference a `ClusterRole` in a `RoleBinding`. The permissions will be scoped to the RoleBinding's namespace.

#### Option C: Using the PCD UI <a href="#option-c-using-the-pcd-ui" id="option-c-using-the-pcd-ui"></a>

1. Navigate to **Kubernetes > RBAC > ClusterRoleBindings**
2. Click **Add ClusterRoleBinding**
3. Select the target cluster and the desired ClusterRole
4. Select the SSO group(s) to bind
5. Click **Add ClusterRoleBinding**

### Verifying Access <a href="#verifying-access" id="verifying-access"></a>

After creating the binding, the SSO user can verify their permissions:

```bash
kubectl auth can-i list pods --namespace app
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://platform9.com/kb/pcd/kubernetes/setting-up-kubernetes-rbac-for-sso-user-groups-on-pcd-workload-clusters.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.