Project RBAC policy templates
The PaletteAI Helm chart renders template ConfigMaps into the Helm release namespace. Each template holds a default list of Kubernetes PolicyRule entries used when defining Project-scoped access for Viewer, Editor, and Admin roles.
Role ConfigMap Templates
PaletteAI copies the role templates into each Tenant namespace. These Tenant-scoped copies are the source of truth for the Role resources in every Project namespace within that Tenant.
| ConfigMap name | Namespace | Data key | Purpose |
|---|---|---|---|
mural-project-rbac-viewer | Helm release namespace | rules.yaml | Default rules for viewers in all Tenants and Projects |
mural-project-rbac-editor | Helm release namespace | rules.yaml | Default rules for editors in all Tenants and Projects |
mural-project-rbac-admin | Helm release namespace | rules.yaml | Default rules for admins in all Tenants and Projects |
Each rules.yaml value is a YAML list of PolicyRule objects, in the same shape as the rules field on a rbac.authorization.k8s.io/v1 Role. Use an empty string under apiGroups for the core Kubernetes API.
Post-installation Customization
To adjust effective permissions after installation, edit the ConfigMaps resources in each Tenant namespace. When you change any of the three policy ConfigMapresources in a Tenant namespace, PaletteAI automatically updates the Role resources for every Project within that Tenant.
Upgrading the PaletteAI Helm chart does not reset or replace manual changes you make at the Tenant scope — overrides in Tenant namespaces are preserved.
Chart upgrades may update the template ConfigMap resources in the Helm release namespace when the PaletteAI defaults change. If you maintain customized permission sets, read the release notes for each upgrade and manually merge any new rules or modifications into your Tenant-scoped ConfigMap resources. PaletteAI does not overwrite customized ConfigMap resources in Tenant namespaces.
Identify Template ConfigMaps
For ease of discovery, template ConfigMaps are labeled as follows:
app.kubernetes.io/component: palette-ai-project-rbac-templatepalette.ai/project-rbac-tierwith valuesviewer,editor, oradmin