K8s: RBAC feature

content/operate/_index.md

@@ -45,9 +45,9 @@ hideListLinks: true
 | | <nobr>{{<color-bubble color="bg-blue-bubble" >}} Redis</nobr> Cloud | <nobr>{{<color-bubble color="bg-yellow-bubble">}} Redis</nobr> Software | <nobr>{{<color-bubble color="bg-purple-bubble">}} Redis</nobr> Open Source | <nobr><div class="h-3 w-3 rounded-md border border-redis-pen-600 inline-block mr-1" style="background-color: #8A99A0"></div> Redis for</nobr> Kubernetes |
 |:-----------|:--------------|:-----------|:--------------|:--------------|
 | Transport Layer Security (TLS) | [TLS]({{<relref "/operate/rc/security/database-security/tls-ssl">}}) | [TLS]({{<relref "/operate/rs/security/encryption/tls">}}) | [TLS]({{< relref "/operate/oss_and_stack/management/security/encryption" >}}) | [REDB tlsMode]({{<relref "/operate/kubernetes/reference/api/redis_enterprise_database_api/#spec">}}) |
-| Role-based access control (RBAC) | [Role-based access control]({{<relref "/operate/rc/security/access-control/data-access-control/role-based-access-control">}}) | [Access control]({{<relref "/operate/rs/security/access-control">}}) | [Access control list]({{< relref "/operate/oss_and_stack/management/security/acl" >}}) | [REC credentials]({{<relref "/operate/kubernetes/security/manage-rec-credentials/">}}) |
-| Lightweight Directory Access Protocol (LDAP) |  | [LDAP authentication]({{<relref "/operate/rs/security/access-control/ldap">}}) |  | [Enable LDAP]({{<relref "/operate/kubernetes/security/ldap/">}}) |
+| Role-based access control (RBAC) | [Role-based access control]({{<relref "/operate/rc/security/access-control/data-access-control/role-based-access-control">}}) | [Access control]({{<relref "/operate/rs/security/access-control">}}) | [Access control list]({{< relref "/operate/oss_and_stack/management/security/acl" >}}) | [REC credentials]({{<relref "/operate/kubernetes/security/authentication/manage-rec-credentials/">}}) |
+| Lightweight Directory Access Protocol (LDAP) |  | [LDAP authentication]({{<relref "/operate/rs/security/access-control/ldap">}}) |  | [Enable LDAP]({{<relref "/operate/kubernetes/security/authentication/ldap/">}}) |
 | Single sign-on (SSO) | [SAML SSO]({{< relref "/operate/rc/security/access-control/saml-sso" >}}) |  |  |  |
-| Self-signed certificates |  | [Certificates]({{<relref "/operate/rs/security/certificates">}}) | [Certificate configuration]({{< relref "/operate/oss_and_stack/management/security/encryption#certificate-configuration" >}}) | [REC certificates]({{<relref "operate/kubernetes/security/manage-rec-certificates/">}}) |
-| Internode encryption | [Encryption at rest]({{< relref "/operate/rc/security/encryption-at-rest" >}}) | [Internode encryption]({{<relref "/operate/rs/security/encryption/internode-encryption">}}) |  | [Enable internode encryption]({{<relref "operate/kubernetes/security/internode-encryption/">}}) |
+| Self-signed certificates |  | [Certificates]({{<relref "/operate/rs/security/certificates">}}) | [Certificate configuration]({{< relref "/operate/oss_and_stack/management/security/encryption#certificate-configuration" >}}) | [REC certificates]({{<relref "operate/kubernetes/security/certificates/manage-rec-certificates/">}}) |
+| Internode encryption | [Encryption at rest]({{< relref "/operate/rc/security/encryption-at-rest" >}}) | [Internode encryption]({{<relref "/operate/rs/security/encryption/internode-encryption">}}) |  | [Enable internode encryption]({{<relref "operate/kubernetes/security/certificates/internode-encryption/">}}) |
 | Auditing |  | [Audit events]({{<relref "/operate/rs/security/audit-events">}}) | [Keyspace notifications]({{< relref "/develop/pubsub/keyspace-notifications" >}}) |  |

content/operate/kubernetes/_index.md

@@ -67,10 +67,10 @@ Set up globally distributed [Active-Active databases]({{< relref "/operate/kuber
 
 Manage [secure connections]({{< relref "/operate/kubernetes/security" >}}) and access control for your Redis Enterprise deployment.
 
-- [Manage REC credentials]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}})
-- [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}})
-- [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}})
-- [LDAP authentication]({{< relref "/operate/kubernetes/security/ldap" >}})
+- [Manage REC credentials]({{< relref "/operate/kubernetes/security/authentication/manage-rec-credentials" >}})
+- [Manage REC certificates]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}})
+- [Internode encryption]({{< relref "/operate/kubernetes/security/certificates/internode-encryption" >}})
+- [LDAP authentication]({{< relref "/operate/kubernetes/security/authentication/ldap" >}})
 
 ## Reference
 

content/operate/kubernetes/active-active/_index.md

@@ -72,7 +72,7 @@ For examples, see the [YAML examples]({{< relref "/operate/kubernetes/reference/
 
 The operator automates Active-Active certificate updates. When you update the proxy or syncer certificate secret on a participating cluster's REC, the operator detects the change and propagates the new certificate to the other participating clusters.
 
-For details, see [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) and [cert-manager integration]({{< relref "/operate/kubernetes/security/cert-manager" >}}).
+For details, see [Manage REC certificates]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}}) and [cert-manager integration]({{< relref "/operate/kubernetes/security/certificates/cert-manager" >}}).
 
 ### Limitations
 

content/operate/kubernetes/active-active/create-aa-crdb-cli.md

@@ -69,7 +69,7 @@ You'll need to create DNS aliases to resolve your API hostname `<api-hostname>`,
   - Description: Combined with database name to create the Active-Active database hostname
   - Format: string
   - Example value: `-cluster.ijk.example.com`
-- [**REC admin credentials**]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}}) `<username> <password>`:
+- [**REC admin credentials**]({{< relref "/operate/kubernetes/security/authentication/manage-rec-credentials" >}}) `<username> <password>`:
   - Description: Admin username and password for the REC stored in a secret
   - Format: string
   - Example value: username: `user@example.com`, password: `something`

content/operate/kubernetes/architecture/_index.md

@@ -84,25 +84,25 @@ See the [RedisEnterpriseDatabase (REDB) API Reference]({{<relref "/operate/kuber
 
 ## Security
 
-Redis Enterprise for Kubernetes uses [secrets](https://kubernetes.io/docs/concepts/configuration/secret/) to manage your cluster credentials, cluster certificates, and client certificates. You can configure [LDAP]({{<relref "/operate/kubernetes/security/ldap">}}) and [internode encryption]({{<relref "/operate/kubernetes/security/internode-encryption">}}) using the [RedisEnterpriseCluster (REC)](#redisenterprisecluster-rec) spec.
+Redis Enterprise for Kubernetes uses [secrets](https://kubernetes.io/docs/concepts/configuration/secret/) to manage your cluster credentials, cluster certificates, and client certificates. You can configure [LDAP]({{<relref "/operate/kubernetes/security/authentication/ldap">}}) and [internode encryption]({{<relref "/operate/kubernetes/security/certificates/internode-encryption">}}) using the [RedisEnterpriseCluster (REC)](#redisenterprisecluster-rec) spec.
 
 ### REC credentials
 
 Redis Enterprise for Kubernetes uses the [RedisEnterpriseCluster (REC)]({{<relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api">}}) [custom resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) to create a Redis Enterprise cluster. During creation it generates random credentials for the operator to use. The credentials are saved in a Kubernetes (K8s) [secret](https://kubernetes.io/docs/concepts/configuration/secret/). The secret name defaults to the name of the cluster.
 
-See [Manage REC credentials]({{<relref "/operate/kubernetes/security/manage-rec-credentials">}}) for more details.
+See [Manage REC credentials]({{<relref "/operate/kubernetes/security/authentication/manage-rec-credentials">}}) for more details.
 
 ### REC certificates
 
 By default, Redis Enterprise Software for Kubernetes generates TLS certificates for the cluster during creation. These self-signed certificates are generated on the first node of each Redis Enterprise cluster (REC) and are copied to all other nodes in the cluster.
 
-See [Manage REC certificates]({{<relref "/operate/kubernetes/security/manage-rec-certificates">}}) for more details.
+See [Manage REC certificates]({{<relref "/operate/kubernetes/security/certificates/manage-rec-certificates">}}) for more details.
 
 ### Client certificates
 
 For each client certificate you want to use, you need to create a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/) to hold it. You can then reference that secret in your [Redis Enterprise database (REDB)](#redisenterprisedatabase-redb) custom resource.
 
-See [Add client certificates]({{<relref "/operate/kubernetes/security/add-client-certificates">}}) for more details.
+See [Add client certificates]({{<relref "/operate/kubernetes/security/certificates/add-client-certificates">}}) for more details.
 
 ## Storage
 

content/operate/kubernetes/release-notes/8-0-6-releases/8-0-6-8-december2025.md

@@ -27,7 +27,7 @@ API support has been added for the following features:
 - REAADB alerts<!--RED-170896-->
 - User-defined modules <!--RED-168227-->
 - Redis Software [8.0.6-54]({{< relref "/operate/rs/release-notes/rs-8-0-releases/rs-8-0-6-54/" >}}) <!--RED-172935-->
-- User-defined certificates for [internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}}) <!--RED-173229-->
+- User-defined certificates for [internode encryption]({{< relref "/operate/kubernetes/security/certificates/internode-encryption" >}}) <!--RED-173229-->
 - SAML 2.0 single sign-on (SSO) authentication <!--RED-176765-->
 - Redis Flex
 

content/operate/kubernetes/security/_index.md

@@ -5,40 +5,30 @@ categories:
 - docs
 - operate
 - kubernetes
-description: Configure security settings for Redis Enterprise clusters and databases on Kubernetes.
+description: Configure security settings for Redis Software clusters and databases on Kubernetes.
 hideListLinks: true
 linkTitle: Security
 weight: 50
 ---
 
-Configure security settings for your Redis Enterprise deployment on Kubernetes. Redis Enterprise for Kubernetes provides comprehensive security features including TLS encryption, authentication, access control, and certificate management.
+Configure security settings for Redis for Kubernetes. Security covers access control, cluster credentials, external identity providers, TLS certificates and encryption, and external secret management.
 
-## Credentials and authentication
+## Access control
 
-Manage cluster credentials and authentication settings:
+- [Access control]({{< relref "/operate/kubernetes/security/access-control" >}}) — manage Redis Software users, roles, ACLs, and role bindings as Kubernetes custom resources.
 
-- [Manage REC credentials]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}}) - Configure and manage Redis Enterprise cluster credentials
-- [Configuration secrets]({{< relref "/operate/kubernetes/security/configuration-secrets" >}}) - Store Redis Enterprise configuration items in Kubernetes Secrets for automatic updates and secure management
-- [LDAP authentication]({{< relref "/operate/kubernetes/security/ldap" >}}) - Integrate with LDAP for centralized authentication
-- [SSO authentication]({{< relref "/operate/kubernetes/security/sso" >}}) - Enable SAML-based single sign-on for Cluster Manager UI access
+## Authentication
 
-## Certificates and encryption
+- [Authentication]({{< relref "/operate/kubernetes/security/authentication" >}}) — manage cluster credentials, LDAP, SAML SSO, and configuration secrets.
 
-Configure TLS certificates and encryption for secure communications:
+## Certificates and encryption
 
-- [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) - Configure cluster certificates for TLS encryption
-- [cert-manager integration]({{< relref "/operate/kubernetes/security/cert-manager" >}}) - Automate TLS certificate management with cert-manager
-- [Add client certificates]({{< relref "/operate/kubernetes/security/add-client-certificates" >}}) - Set up client certificate authentication for databases
-- [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}}) - Enable encryption between cluster nodes and configure custom certificates
+- [Certificates and encryption]({{< relref "/operate/kubernetes/security/certificates" >}}) — provision TLS certificates, integrate cert-manager, add client certificates, and enable internode encryption.
 
 ## Secret management
 
-Configure external secret management systems:
-
-- [HashiCorp Vault integration]({{< relref "/operate/kubernetes/security/vault" >}}) - Configure HashiCorp Vault as the centralized secret management system for Redis Enterprise for Kubernetes
+- [HashiCorp Vault integration]({{< relref "/operate/kubernetes/security/vault" >}}) — use HashiCorp Vault as the centralized secret store for Redis for Kubernetes.
 
 ## Resource management
 
-Configure security-related resource settings:
-
-- [Allow resource adjustment]({{< relref "/operate/kubernetes/security/allow-resource-adjustment" >}}) - Enable automatic adjustment of system resources for security compliance
+- [Allow resource adjustment]({{< relref "/operate/kubernetes/security/allow-resource-adjustment" >}}) — enable automatic adjustment of system resources for security compliance.

content/operate/kubernetes/security/access-control/_index.md

@@ -0,0 +1,72 @@
+---
+Title: Access control
+alwaysopen: false
+categories:
+- docs
+- operate
+- kubernetes
+description: Manage Redis Software users, roles, ACLs, and role bindings on Kubernetes with custom resources.
+hideListLinks: true
+linkTitle: Access control
+weight: 20
+---
+
+Access control lets you manage Redis Software users, roles, ACLs, and role bindings as Kubernetes custom resources. The operator reconciles each resource into the corresponding Redis Software object, so you can use GitOps workflows and Kubernetes Secrets instead of working only through the Redis Software REST API or Cluster Manager UI.
+
+## How access control works on Redis for Kubernetes
+
+You declare these `app.redislabs.com/v1alpha1` custom resources:
+
+| Resource | Purpose |
+|---|---|
+| `RedisEnterpriseUser` | A Redis Software user, with credentials in a Kubernetes Secret. |
+| `RedisEnterpriseACL` | A Redis ACL rule, mapped to a Redis Software ACL object. |
+| `RedisEnterpriseDatabaseRole` | A database-scoped role (management role and optional ACL) applied to selected REDBs. |
+| `RedisEnterpriseDatabaseRoleBinding` | Assigns a `RedisEnterpriseDatabaseRole` to a user. |
+| `RedisEnterpriseClusterRole` | A cluster-scoped role (management role and optional ACL) applied across all REDBs. |
+| `RedisEnterpriseClusterRoleBinding` | Assigns a `RedisEnterpriseClusterRole` to a user. |
+
+When you apply one of these resources, the operator:
+
+1. Validates the spec.
+2. Creates or updates the matching object in Redis Software.
+3. Reports the resolved Redis Software UID and other state in the resource's `status`.
+4. Emits Kubernetes events on reconciliation problems.
+
+## What's the same as Redis Software
+
+The underlying Redis Software behavior is unchanged. For concepts and reference details, see the existing Redis Software docs:
+
+- [Cluster-scoped role definitions]({{< relref "/operate/rs/security/access-control/create-cluster-roles" >}}) — what `Admin`, `ClusterMember`, `ClusterViewer`, and `UserManager` grant.
+- [Database-scoped role definitions]({{< relref "/operate/rs/security/access-control/create-db-roles" >}}) — what `DBMember` and `DBViewer` grant.
+- [Combined cluster and database roles]({{< relref "/operate/rs/security/access-control/create-combined-roles" >}}) — when a role grants both planes.
+- [Redis ACL syntax]({{< relref "/operate/rs/security/access-control/redis-acl-overview" >}}) — rule format for `RedisEnterpriseACL` resources.
+- [Login lockout and unlock]({{< relref "/operate/rs/security/access-control/manage-users/login-lockout" >}}) — how locked users are recovered.
+- [Password complexity rules]({{< relref "/operate/rs/security/access-control/manage-passwords/password-complexity-rules" >}}) and [password expiration]({{< relref "/operate/rs/security/access-control/manage-passwords/password-expiration" >}}) — applied by Redis Software regardless of how the password is delivered.
+- [Default user]({{< relref "/operate/rs/security/access-control/manage-users/default-user" >}}) — the built-in cluster admin account.
+
+## What's different on Kubernetes
+
+- **Resources are declarative.** You define users, roles, ACLs, and bindings in YAML and let the operator apply them. The Cluster Manager UI and REST API still work but are no longer the source of truth.
+- **Role assignment uses separate Binding resources.** In Redis Software, you assign roles by editing the user. On Kubernetes, `RedisEnterpriseUser.spec` has no role references. You create `RedisEnterpriseDatabaseRoleBinding` or `RedisEnterpriseClusterRoleBinding` resources instead.
+- **Passwords live in Kubernetes Secrets.** Each `RedisEnterpriseUser` references one or more Secrets. A `Rotatable` mode supports two Secrets at once for zero-downtime rotation. The operator marks Kubernetes Secrets immutable to prevent in-place edits.
+- **A user with no binding still gets a role.** The operator assigns the Redis Software `none` role, which grants no permissions, so every user has at least one role. Permissions take effect only after you add a binding.
+
+## Known limitations
+
+- Access control resources are reconciled only in the operator namespace. Password Secrets must live in the same namespace, and database scopes resolve to REDBs in that namespace.
+- A `RedisEnterpriseClusterRole` grants access cluster-wide, including to REDBs represented by resources in other namespaces. The access flows through Redis Software, not through explicit REDB references.
+- A role can reference at most one `RedisEnterpriseACL`. To apply different ACLs to different databases, create separate roles.
+
+## In this section
+
+- [Manage users]({{< relref "/operate/kubernetes/security/access-control/manage-users" >}}) — create `RedisEnterpriseUser` resources, rotate passwords, recover from lockouts.
+- [Manage roles]({{< relref "/operate/kubernetes/security/access-control/manage-roles" >}}) — create database and cluster roles with the right scope and management permissions.
+- [Manage ACLs]({{< relref "/operate/kubernetes/security/access-control/manage-acls" >}}) — create and update `RedisEnterpriseACL` resources used by roles.
+- [Manage role bindings]({{< relref "/operate/kubernetes/security/access-control/manage-bindings" >}}) — assign roles to users with `RedisEnterpriseDatabaseRoleBinding` and `RedisEnterpriseClusterRoleBinding`.
+- [Migrate from REDB rolesPermissions]({{< relref "/operate/kubernetes/security/access-control/migrate-rolespermissions" >}}) — move from the deprecated `RedisEnterpriseDatabase.spec.rolesPermissions` field to the new CRD model.
+
+## Related topics
+
+- [Redis for Kubernetes operator API reference]({{< relref "/operate/kubernetes/reference/api" >}}) — field-by-field specification for every CRD in the `app.redislabs.com/v1alpha1` group.
+- [Redis databases (REDB)]({{< relref "/operate/kubernetes/re-databases" >}}) — the resources that role scopes resolve against.

content/operate/kubernetes/security/allow-resource-adjustment.md

@@ -6,7 +6,7 @@ categories:
 description: Enable automatic system resource adjustments for Redis Enterprise to increase file descriptor limits.
 linkTitle: Auto resource adjustment
 title: Allow automatic resource adjustment
-weight: 98
+weight: 50
 ---
 
 Redis Enterprise for Kubernetes 7.22.0-6 introduces the ability to run with automatic resource adjustment disabled, which drops all capabilities from the Redis Enterprise container and sets `allowPrivilegeEscalation` to `false`. All other security-related settings remain the same as in automatic resource adjustment enabled. Automatic resource adjustment disabled is the default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later.