diff --git a/website/docs/enterprise/getting-started/install-enterprise-airgap.mdx b/website/docs/enterprise/getting-started/install-enterprise-airgap.mdx
index 2fc25470cf..62942d9b1f 100644
--- a/website/docs/enterprise/getting-started/install-enterprise-airgap.mdx
+++ b/website/docs/enterprise/getting-started/install-enterprise-airgap.mdx
@@ -13,12 +13,12 @@ From [wikipedia](https://en.wikipedia.org/wiki/Air_gap_(networking))
>An air gap, air wall, air gapping or disconnected network is a network security measure employed on one or more computers
to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network...
-This document guides on how to install Weave Gitops Enterprise in a restricted environment.
+This document guides on how to install Weave GitOps Enterprise (WGE) in a restricted environment.
# Before You Start
There are multiple restrictions that could happen within an air-gapped environment. This guide assumes that you have egress network
-restrictions. In order to install Weave Gitops Enterprise (WGE), the required artifacts are required to be loaded
+restrictions. In order to install WGE, the required artifacts must be loaded
from a private registry. This guide helps you with the task to identity the Helm charts
and container images required to install WGE and to load them into your private registry.
@@ -33,25 +33,25 @@ to load the artifacts in the private network.
Finally, we aim to provide an end to end example to use it as a guidance more than a recipe. Feel free to adapt the details
that do not fit within your context.
-# Install
+# Install WGE
There are different variations of the following stages and conditions. We consider that installing
WGE in an air-gapped environment could follow the following stages.
-1. Setup a WGE install environment.
+1. Set up a WGE install environment.
2. Collect artifacts and publish to a private registry.
-3. Install Weave Gitops Enterprise in the air-gapped environment.
+3. Install WGE in the air-gapped environment.
-## Setup a WGE install environment
+## Set up a WGE install environment
-The main goal of this stage is to recreate a local Weave Gitops Enterprise within your context, to collect
+The main goal of this stage is to recreate a local WGE within your context, to collect
the container images and Helm charts, that will be required in your private registry for the offline installation.
A three-step setup is followed.
1. Setup a proxy host
2. Setup a private registry
-3. Install Weave Gitops Enterprise
+3. Install WGE
### Setup a proxy host
@@ -143,7 +143,7 @@ helm repo update private
At this stage you have already a private registry for container images and helm charts.
-### Install Weave Gitops Enterprise
+### Install WGE
This step is to gather the artifacts and images in your local environment to push to the private registry.
@@ -274,7 +274,7 @@ spec:
-#### Weave Gitops Enterprise
+#### WGE
Update the following manifest to your context.
@@ -482,7 +482,7 @@ ghcr.io/weaveworks-liquidmetal/flintlock-kernel:5.10.77
## Airgap Install
-### Weave Gitops Enterprise
+### Weave GitOps Enterprise
At this stage you have in your private registry both the Helm charts and container images required to install Weave GitOps
Enterprise. Now you are ready to install WGE from your private registry.
diff --git a/website/docs/enterprise/getting-started/install-enterprise.mdx b/website/docs/enterprise/getting-started/install-enterprise.mdx
index da4c3a9223..7d8747f3cc 100644
--- a/website/docs/enterprise/getting-started/install-enterprise.mdx
+++ b/website/docs/enterprise/getting-started/install-enterprise.mdx
@@ -31,70 +31,46 @@ import TOCInline from "@theme/TOCInline";
There is no need to install the open source version of Weave GitOps before installing Weave GitOps Enterprise.
:::
-## Example: Set up a Management Cluster with CAPA and EKS
+## Prerequisites
-To get you started, we'll cover EKS as our management cluster with the CAPA provider. Please note again that Weave GitOps Enterprise supports [clusters without Cluster API](../../cluster-management/managing-clusters-without-capi.mdx), as well as any combination of management cluster and CAPI provider.
+To get up and running with Weave GitOps Enterprise:
+- create a Kubernetes cluster
+- add your cluster to kubeconfig—which you'll get from Kubernetes—so that the kubeconfig correctly points to the management cluster
+- create a Git repository; in the instructions below, we refer to a `fleet-infra` repository
+- configure your Git client properly (if using GitHub, for example,
+then review their docs on [setting your username](https://docs.github.com/en/get-started/getting-started-with-git/setting-your-username-in-git#setting-your-git-username-for-every-repository-on-your-computer) and
+[your email address](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address#setting-your-email-address-for-every-repository-on-your-computer))
+- obtain a valid entitlement secret from Weaveworks and apply it to your cluster
+- install a compatible version of Flux onto your cluster; see below for how-to guidance
-### Prep Step: Create a Repository
-Create a new private GitHub repository and give it a name. We'll call our repo `fleet-infra`.
+### Install the Weave GitOps Enterprise CLI Tool
-Set up a Git client for your private repo. For GitHub, see their docs on [setting your username](https://docs.github.com/en/get-started/getting-started-with-git/setting-your-username-in-git#setting-your-git-username-for-every-repository-on-your-computer) and [setting your email address](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address#setting-your-email-address-for-every-repository-on-your-computer).
-
-[Cluster API](https://cluster-api.sigs.k8s.io/introduction.html) provides declarative APIs, controllers, and tooling to manage the lifecycle of Kubernetes clusters, across a large number of [infrastructure providers](https://cluster-api.sigs.k8s.io/reference/providers.html#infrastructure).
-The CAPI custom resource definitions are platform-independent as each provider implementation handles the creation of virtual machines,
-VPCs, networks, and other required infrastructure parts, enabling consistent and repeatable cluster deployments.
-
-The following example and steps reflect Flux’s architecture and operations. Go [here](https://fluxcd.io/docs/cmd/) for more detailed documentation about Flux.
-
-### 1. CAPA Setup
-
-Cluster API requires kubectl access to an existing Kubernetes cluster. For this example, configure kubectl to use the management cluster:
-
-```bash
-export KUBECONFIG=/path/to/kubeconfig
-```
-
-After having configured kubectl, deploy the CAPA components by following the [steps provided by Cluster API documentation](https://cluster-api-aws.sigs.k8s.io/getting-started.html#install-clusterctl).
-
-### 2. Prepare IAM for Installation
-
-Cluster API needs special permissions in AWS. Use the `clusterawsadm` command below to roll out a CloudStack and install the permissions into your AWS account. Although the CloudStack is bound to a region, the resulting permissions are globally scoped. You can use any AWS Region that you have access to.
-
-The `clusterawsadm` command takes an AWSIAMConfiguration file. [Cluster API docs provide the command](https://cluster-api-aws.sigs.k8s.io/topics/using-clusterawsadm-to-fulfill-prerequisites.html#with-eks-support) for you; run this.
+To do this, you can use either brew or curl.
-Run the `clusterawsadm` command to create an IAM group:
+
+
```bash
-clusterawsadm bootstrap iam create-cloudformation-stack --config eks-config.yaml --region $REGION
+brew install weaveworks/tap/gitops-ee
```
-Create an IAM User, which will be used as a kind of service account, and assign the newly created group to this user. The group name will be something like: `cluster-api-provider-aws-s-AWSIAMGroupBootstrapper-XXXX`.
-
-Create a secret for the newly created IAM user.
-
-### 3. Create the Cluster
+
-In testing, we used the following values:
-`$INSTANCESIZE` : t3.large
-`$NUMOFNODES` : 2
-`$MINNODES` : 2
-`$MAXNODES` : 6
+
```bash
-eksctl create cluster -n "$CLUSTERNAME" -r "$REGION" --nodegroup-name workers -t $INSTANCESIZE --nodes $NUMOFNODES --nodes-min $MINNODES --nodes-max $MAXNODES --ssh-access --alb-ingress-access
+export VERSION=
+curl --silent --location "https://artifacts.wge.dev.weave.works/releases/bin/${VERSION}/gitops-$(uname)-$(uname -m).tar.gz" | tar xz -C /tmp
+sudo mv /tmp/gitops /usr/local/bin
+gitops version
```
-### 4. Add the Cluster to kubeconfig
-
-Once you've created your cluster, add it to your `kubeconfig`:
-
-```bash
-aws eks --region "$REGION" update-kubeconfig --name "$CLUSTERNAME"
-```
+
+
-### 5. Install Flux Onto Your Cluster with the `flux bootstrap` Command
+### Install Flux Onto Your Cluster with the `flux bootstrap` Command
-The `flux bootstrap` command enables you to deploy Flux on a cluster the GitOps way. Go [here](https://fluxcd.io/docs/cmd/) for more information about the `flux bootstrap` command.
+The `flux bootstrap` command enables you to deploy Flux on a cluster the GitOps way. Go [here](https://fluxcd.io/docs/cmd/) for more information about the command.
@@ -126,7 +102,7 @@ flux bootstrap gitlab \
-Your private GitHub repo should have a clusters/management folder that includes the manifests Flux needs to operate, and that also generates a key value pair for Flux to access the repo.
+Your private Git repo should have a clusters/management folder that includes the manifests Flux needs to operate, and that also generates a key value pair for Flux to access the repo.
* **owner**: The username (or organization) of the Git repository
* **repository**: Git repository name
@@ -137,33 +113,776 @@ Your private GitHub repo should have a clusters/management folder that includes
At this point your Flux management cluster should be running. Take a look at the repository you created earlier.
-### 6. Install CAPA
+### Apply Your Entitlements Secret to Your Cluster
+
+As noted above, you receive your entitlements secret by contacting sales@weave.works. Use this command to apply it to the cluster:
+
+```bash
+kubectl apply -f entitlements.yaml
+```
+
+## Set up Authentication and RBAC
+
+### Securing Access to the Dashboard
+
+There are two supported methods for logging in to the dashboard, that work with standard Kubernetes RBAC:
+- Login via an OIDC provider: recommended, as this will allow you to control permissions for existing users and groups that have
+already been configured to use OIDC. OIDC decouples the need to manage user lists from the application, allowing it to be managed via
+a central system designed for that purpose (i.e. the OIDC provider). OIDC also enables the creation of groups—either via your provider's own systems or by using a connector like [Dex](#configuring-oidc-with-dex-and-github).
+- Login via a cluster user account: which is insecure, and which we only recommend for local and development environments or if you need to activate emergency access to a damaged cluster. However, it is an option if an OIDC provider is not available.
+
+You may decide to give your engineering teams access to the WGE dashboard so they can view and manage their workloads. In this case, you will want to secure dashboard access and restrict who can interact with it. Weave GitOps Enterprise integrates with your OIDC provider and uses standard Kubernetes RBAC to give you fine-grained control of the dashboard users' permissions.
+
+OIDC extends the OAuth2 authorization protocol by including an additional field (ID Token) that contains information (claims) about a user's identity. After a user successfully authenticates with the OIDC provider, Weave GitOps Enterprise uses this information to impersonate the user in any calls to the Kubernetes API. This allows cluster administrators to use RBAC rules to control access to the cluster and the dashboard.
+
+
+
+
+To login via your OIDC provider, create a Kubernetes secret to store the OIDC configuration. This configuration consists of the following parameters:
+
+| Parameter | Description | Default |
+| ------------------| -------------------------------------------------------------------------------------------------------------------------------- | --------- |
+| `issuerURL` | The URL of the issuer; typically, the discovery URL without a path | |
+| `clientID` | The client ID set up for Weave GitOps in the issuer | |
+| `clientSecret` | The client secret set up for Weave GitOps in the issuer | |
+| `redirectURL` | The redirect URL set up for Weave GitOps in the issuer—typically the dashboard URL, followed by `/oauth2/callback ` | |
+| `tokenDuration` | The time duration that the ID Token will remain valid after successful authentication | "1h0m0s" |
+
+Ensure that your OIDC provider has been set up with a client ID/secret and the dashboard's redirect URL.
+
+Create a secret named `oidc-auth` in the `flux-system` namespace with these parameters set:
+
+```sh
+kubectl create secret generic oidc-auth \
+ --namespace flux-system \
+ --from-literal=issuerURL= \
+ --from-literal=clientID= \
+ --from-literal=clientSecret= \
+ --from-literal=redirectURL= \
+ --from-literal=tokenDuration=
+```
+
+Once the HTTP server starts, unauthenticated users will have to click 'Login With OIDC Provider' to log in or use the cluster account (if configured). Upon successful authentication, the users' identities will be impersonated in any calls made to the Kubernetes API, as part of any action they take in the dashboard. By default the Helm chart will configure RBAC correctly, but we recommend reading the [service account](#gitops-dashboard-service-account-permissions) and [user permissions](#user-permissions) pages to understand which actions are needed for Weave GitOps to function correctly.
+
+#### Customization
+
+For some OIDC configurations, you may need to customise the requested [scopes](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) or [claims](https://openid.net/specs/openid-connect-core-1_0.html#Claims).
+
+#### Scopes
+
+By default, the following scopes are requested: "openid","offline_access","email","groups".
+
+The "openid" scope is **mandatory** for OpenID auth. The "email" and "groups" scopes are commonly used as unique identifiers in organisations.
+
+"offline_access" allows us to refresh OIDC tokens to keep login sessions alive for as long as a refresh token is valid. You can, however, change the defaults.
+```sh
+kubectl create secret generic oidc-auth \
+ --namespace flux-system \
+ --from-literal=issuerURL= \
+ --from-literal=clientID= \
+ --from-literal=clientSecret= \
+ --from-literal=redirectURL= \
+ --from-literal=tokenDuration= \
+ --from-literal=customScopes=custom,scopes
+```
+The format for the `customScopes` key is a comma-separated list of scopes to request. In this case, "custom", "scopes", and "openid" would be requested.
+
+#### Claims
+
+By default, the following claims are parsed from the OpenID [ID Token](https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken) "email" and "groups". These are presented as the `user` and `groups` when WGE communicates with your Kubernetes API server.
+
+This is equivalent to [configuring](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server) your `kube-apiserver` with `--oidc-username-claim=email --oidc-groups-claim=groups`.
+
+Again, you can configure these from the `oidc-auth` `Secret`.
+
+```sh
+kubectl create secret generic oidc-auth \
+ --namespace flux-system \
+ --from-literal=issuerURL= \
+ --from-literal=clientID= \
+ --from-literal=clientSecret= \
+ --from-literal=redirectURL= \
+ --from-literal=tokenDuration= \
+ --from-literal=claimUsername=sub \
+ --from-literal=claimGroups=groups
+```
+There are two separate configuration keys. You can override them separately. They should match your `kube-apiserver` configuration.
+
+
+
+
+
+#### Configuring OIDC with Dex and GitHub
+This example uses [Dex](https://dexidp.io/) and its [GitHub connector](https://dexidp.io/docs/connectors/github/) to show you how to log in to the Weave GitOps dashboard by authenticating with your GitHub account. It assumes you have already installed Weave GitOps on a Kubernetes cluster, per the instructions above, and have also [enabled TLS](#tls-configuration).
+
+Dex is an identity service that uses [OpenID Connect](https://openid.net/connect/) to
+drive authentication for other apps. There are other solutions for identity and access management, such as [Keycloak](https://www.keycloak.org/).
+
+Create a namespace where you will install Dex:
-You do not need to install a CAPI provider to provision Kubernetes clusters using Weave GitOps Enterprise—you can also provision with Terraform. But for this example with CAPA, you must.
+```yaml
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: dex
+```
-Download a specific version of clusterctl from the [releases page](https://github.com/kubernetes-sigs/cluster-api/releases). We've tested the example templates provided in this guide with `clusterctl` version `1.1.3`.
+Get a GitHub ClientID and Client secret by creating a [new OAuth application](https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app).
-Next, run this command:
+
```bash
-export EXP_EKS=true
-export EXP_MACHINE_POOL=true
-export CAPA_EKS_IAM=true
-export EXP_CLUSTER_RESOURCE_SET=true
+kubectl create secret generic github-client \
+ --namespace=dex \
+ --from-literal=client-id=${GITHUB_CLIENT_ID} \
+ --from-literal=client-secret=${GITHUB_CLIENT_SECRET}
+```
+
+#### Deploy Dex
+
+Use `HelmRepository` and `HelmRelease` objects to let Flux deploy everything.
+
+Expand to see resource manifests
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+ name: dex
+ namespace: dex
+spec:
+ interval: 1m
+ url: https://charts.dexidp.io
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: dex
+ namespace: dex
+spec:
+ interval: 5m
+ chart:
+ spec:
+ chart: dex
+ version: 0.6.5
+ sourceRef:
+ kind: HelmRepository
+ name: dex
+ namespace: dex
+ interval: 1m
+ values:
+ image:
+ tag: v2.31.0
+ envVars:
+ - name: GITHUB_CLIENT_ID
+ valueFrom:
+ secretKeyRef:
+ name: github-client
+ key: client-id
+ - name: GITHUB_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: github-client
+ key: client-secret
+ config:
+ # Set it to a valid URL
+ issuer: https://dex.dev.example.tld
+
+ # See https://dexidp.io/docs/storage/ for more options
+ storage:
+ type: memory
+
+ staticClients:
+ - name: 'Weave GitOps Core'
+ id: weave-gitops
+ secret: AiAImuXKhoI5ApvKWF988txjZ+6rG3S7o6X5En
+ redirectURIs:
+ - 'https://localhost:9001/oauth2/callback'
+ - 'https://0.0.0.0:9001/oauth2/callback'
+ - 'http://0.0.0.0:9001/oauth2/callback'
+ - 'http://localhost:4567/oauth2/callback'
+ - 'https://localhost:4567/oauth2/callback'
+ - 'http://localhost:3000/oauth2/callback'
+
+ connectors:
+ - type: github
+ id: github
+ name: GitHub
+ config:
+ clientID: $GITHUB_CLIENT_ID
+ clientSecret: $GITHUB_CLIENT_SECRET
+ redirectURI: https://dex.dev.example.tld/callback
+ orgs:
+ - name: weaveworks
+ teams:
+ - team-a
+ - team-b
+ - QA
+ - name: ww-test-org
+ ingress:
+ enabled: true
+ className: nginx
+ annotations:
+ cert-manager.io/cluster-issuer: letsencrypt-prod
+ hosts:
+ - host: dex.dev.example.tld
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ tls:
+ - hosts:
+ - dex.dev.example.tld
+ secretName: dex-dev-example-tld
+```
+
+Expand to see group role bindings
+
+```yaml
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: wego-test-user-read-resources
+ namespace: flux-system
+subjects:
+ - kind: Group
+ name: weaveworks:QA
+ namespace: flux-system
+roleRef:
+ kind: Role
+ name: wego-admin-role
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: wego-admin-role
+ namespace: flux-system
+rules:
+ - apiGroups: [""]
+ resources: ["secrets", "pods" ]
+ verbs: [ "get", "list" ]
+ - apiGroups: ["apps"]
+ resources: [ "deployments", "replicasets"]
+ verbs: [ "get", "list" ]
+ - apiGroups: ["kustomize.toolkit.fluxcd.io"]
+ resources: [ "kustomizations" ]
+ verbs: [ "get", "list", "patch" ]
+ - apiGroups: ["helm.toolkit.fluxcd.io"]
+ resources: [ "helmreleases" ]
+ verbs: [ "get", "list", "patch" ]
+ - apiGroups: ["source.toolkit.fluxcd.io"]
+ resources: ["buckets", "helmcharts", "gitrepositories", "helmrepositories", "ocirepositories"]
+ verbs: ["get", "list", "patch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["get", "watch", "list"]
```
-Please note that, while the next few steps apply to our example, they are also relevant whether you're using another CAPI provider or none at all.
+Expand to see group cluster role bindings
+
+```yaml
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: weaveworks:team-a
+subjects:
+- kind: Group
+ name: weaveworks:team-a
+ apiGroup: rbac.authorization.k8s.io
+roleRef:
+ kind: ClusterRole
+ name: cluster-admin
+ apiGroup: rbac.authorization.k8s.io
+```
+
+Expand to see example RBAC
+
+```yaml
+# Admin cluster role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: wego-admin-cluster-role
+rules:
+ - apiGroups: [""]
+ resources: ["secrets", "pods" ]
+ verbs: [ "get", "list" ]
+ - apiGroups: ["apps"]
+ resources: [ "deployments", "replicasets"]
+ verbs: [ "get", "list" ]
+ - apiGroups: ["kustomize.toolkit.fluxcd.io"]
+ resources: [ "kustomizations" ]
+ verbs: [ "get", "list", "patch" ]
+ - apiGroups: ["helm.toolkit.fluxcd.io"]
+ resources: [ "helmreleases" ]
+ verbs: [ "get", "list", "patch" ]
+ - apiGroups: ["source.toolkit.fluxcd.io"]
+ resources: [ "buckets", "helmcharts", "gitrepositories", "helmrepositories", "ocirepositories" ]
+ verbs: [ "get", "list", "patch" ]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["get", "watch", "list"]
+---
+# Read-only cluster role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: wego-readonly-role
+rules:
+ # All the 'patch' permissions have been removed
+ - apiGroups: [""]
+ resources: ["secrets", "pods" ]
+ verbs: [ "get", "list" ]
+ - apiGroups: ["apps"]
+ resources: [ "deployments", "replicasets"]
+ verbs: [ "get", "list" ]
+ - apiGroups: ["kustomize.toolkit.fluxcd.io"]
+ resources: [ "kustomizations" ]
+ verbs: [ "get", "list" ]
+ - apiGroups: ["helm.toolkit.fluxcd.io"]
+ resources: [ "helmreleases" ]
+ verbs: [ "get", "list" ]
+ - apiGroups: ["source.toolkit.fluxcd.io"]
+ resources: [ "buckets", "helmcharts", "gitrepositories", "helmrepositories", "ocirepositories" ]
+ verbs: [ "get", "list" ]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["get", "watch", "list"]
+---
+# Bind the cluster admin role to the wego-admin group
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: wego-cluster-admin
+subjects:
+- kind: Group
+ name: wego-admin # only Aisha is a member
+ apiGroup: rbac.authorization.k8s.io
+roleRef:
+ kind: ClusterRole
+ name: wego-admin-cluster-role
+ apiGroup: rbac.authorization.k8s.io
+---
+# Bind the admin role in the team-a namespace for the wego-team-a-admin group
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: wego-team-a-admin-role
+ namespace: team-a
+subjects:
+- kind: Group
+ name: wego-team-a-admin # Aisha & Brian are members
+ apiGroup: rbac.authorization.k8s.io
+roleRef:
+ # Use the cluster role to set rules, just bind them in the team-a namespace
+ kind: ClusterRole
+ name: wego-admin-role
+ apiGroup: rbac.authorization.k8s.io
+---
+# Bind the read-only role to the read-only group
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: wego-readonly-role
+subjects:
+- kind: Group
+ name: wego-readonly # Everyone is a member
+ apiGroup: rbac.authorization.k8s.io
+roleRef:
+ kind: ClusterRole
+ name: wego-readonly-role
+ apiGroup: rbac.authorization.k8s.io
+---
+```
+
+