IAM resources¶
This section contains descriptions and examples of the IAM resources for Mirantis Container Cloud. For management details, see Manage user roles through Container Cloud API.
IAMUser¶
IAMUser
is the Cluster
(non-namespaced) object. Its objects are synced
from Keycloak that is they are created upon user creation in Keycloak and
deleted user upon deletion in Keycloak. The IAMUser
is exposed as read-only
to all users. It contains the following fields:
apiVersion
API version of the object that is
iam.mirantis.com/v1alpha1
kind
Object type that is
IAMUser
metadata
Object metadata that contains the following field:
name
Sanitized user name without special characters with first 8 symbols of the user UUID appended to the end
displayName
Name of the user as defined in the Keycloak database
externalID
ID of the user as defined in the Keycloak database
Configuration example:
apiVersion: iam.mirantis.com/v1alpha1
kind: IAMUser
metadata:
name: userone-f150d839
displayName: userone
externalID: f150d839-d03a-47c4-8a15-4886b7349791
IAMRole¶
IAMRole
is the read-only cluster-level object that can have global
,
namespace
, or cluster
scope. It contains the following fields:
apiVersion
API version of the object that is
iam.mirantis.com/v1alpha1
.
kind
Object type that is
IAMRole
.
metadata
Object metadata that contains the following field:
name
Role name. Possible values are:
global-admin
,cluster-admin
,operator
,bm-pool-operator
,user
,member
,stacklight-admin
,management-admin
.For details on user role assignment, see Manage user roles through Container Cloud API.
Note
The
management-admin
role is available since Container Cloud 2.25.0 (Cluster releases 17.0.0, 16.0.0, 14.1.0).
description
Role description.
scope
Role scope.
Configuration example:
apiVersion: iam.mirantis.com/v1alpha1
kind: IAMRole
metadata:
name: global-admin
description: Gives permission to manage IAM role bindings in the Container Cloud deployment.
scope: global
IAMGlobalRoleBinding¶
IAMGlobalRoleBinding
is the Cluster
(non-namespaced) object that
should be used for global role bindings in all namespaces. This object is
accessible to users with the global-admin
IAMRole
assigned through the
IAMGlobalRoleBinding
object. The object contains the following fields:
apiVersion
API version of the object that is
iam.mirantis.com/v1alpha1
.
kind
Object type that is
IAMGlobalRoleBinding
.
metadata
Object metadata that contains the following field:
name
Role binding name. If the role binding is user-created, user can set any unique name. If a name relates to a binding that is synced by
user-controller
from Keycloak, the naming convention is<username>-<rolename>
.
role
Object role that contains the following field:
name
Role name.
user
Object name that contains the following field:
name
Name of the
iamuser
object that the defined role is provided to. Not equal to the user name in Keycloak.
legacy
Defines whether the role binding is legacy. Possible values are
true
orfalse
.
legacyRole
Applicable when the
legacy
field value istrue
. Defines the legacy role name in Keycloak.
external
Defines whether the role is assigned through Keycloak and is synced by
user-controller
with the Container Cloud API as theIAMGlobalRoleBinding
object. Possible values aretrue
orfalse
.
Caution
If you create the IAM*RoleBinding
, do not set or modify
the legacy
, legacyRole
, and external
fields unless absolutely
necessary and you understand all implications.
Configuration example:
apiVersion: iam.mirantis.com/v1alpha1
kind: IAMGlobalRoleBinding
metadata:
name: userone-global-admin
role:
name: global-admin
user:
name: userone-f150d839
external: false
legacy: false
legacyRole: “”
IAMRoleBinding¶
IAMRoleBinding
is the namespaced object that represents a grant of one
role to one user in all clusters of the namespace. It is accessible to users
that have either of the following bindings assigned to them:
IAMGlobalRoleBinding
that binds them with theglobal-admin
,operator
, oruser
iamRole
. Foruser
, the bindings are read-only.IAMRoleBinding
that binds them with theoperator
oruser
iamRole
in a particular namespace. Foruser
, the bindings are read-only.apiVersion
API version of the object that is
iam.mirantis.com/v1alpha1
.
kind
Object type that is
IAMRoleBinding
.
metadata
Object metadata that contains the following fields:
namespace
Namespace that the defined binding belongs to.
name
Role binding name. If the role is user-created, user can set any unique name. If a name relates to a binding that is synced from Keycloak, the naming convention is
<userName>-<roleName>
.
legacy
Defines whether the role binding is legacy. Possible values are
true
orfalse
.
legacyRole
Applicable when the
legacy
field value istrue
. Defines the legacy role name in Keycloak.
external
Defines whether the role is assigned through Keycloak and is synced by
user-controller
with the Container Cloud API as theIAMGlobalRoleBinding
object. Possible values aretrue
orfalse
.
Caution
If you create the IAM*RoleBinding
, do not set or modify
the legacy
, legacyRole
, and external
fields unless absolutely
necessary and you understand all implications.
role
Object role that contains the following field:
name
Role name.
user
Object user that contains the following field:
name
Name of the
iamuser
object that the defined role is granted to. Not equal to the user name in Keycloak.
Configuration example:
apiVersion: iam.mirantis.com/v1alpha1
kind: IAMRoleBinding
metadata:
namespace: nsone
name: userone-operator
external: false
legacy: false
legacyRole: “”
role:
name: operator
user:
name: userone-f150d839
IAMClusterRoleBinding¶
IAMClusterRoleBinding
is the namespaced object that represents a grant
of one role to one user on one cluster in the namespace.This object is
accessible to users that have either of the following bindings
assigned to them:
IAMGlobalRoleBinding
that binds them with theglobal-admin
,operator
, oruser
iamRole
. Foruser
, the bindings are read-only.IAMRoleBinding
that binds them with theoperator
oruser
iamRole
in a particular namespace. Foruser
, the bindings are read-only.
The IAMClusterRoleBinding
object contains the following fields:
apiVersion
API version of the object that is
iam.mirantis.com/v1alpha1
.
kind
Object type that is
IAMClusterRoleBinding
.
metadata
Object metadata that contains the following fields:
namespace
Namespace of the cluster that the defined binding belongs to.
name
Role binding name. If the role is user-created, user can set any unique name. If a name relates to a binding that is synced from Keycloak, the naming convention is
<userName>-<roleName>-<clusterName>
.
role
Object role that contains the following field:
name
Role name.
user
Object user that contains the following field:
name
Name of the
iamuser
object that the defined role is granted to. Not equal to the user name in Keycloak.
cluster
Object cluster that contains the following field:
name
Name of the cluster on which the defined role is granted.
legacy
Defines whether the role binding is legacy. Possible values are
true
orfalse
.
legacyRole
Applicable when the
legacy
field value istrue
. Defines the legacy role name in Keycloak.
external
Defines whether the role is assigned through Keycloak and is synced by
user-controller
with the Container Cloud API as theIAMGlobalRoleBinding
object. Possible values aretrue
orfalse
.
Caution
If you create the IAM*RoleBinding
, do not set or modify
the legacy
, legacyRole
, and external
fields unless absolutely
necessary and you understand all implications.
Configuration example:
apiVersion: iam.mirantis.com/v1alpha1
kind: IAMClusterRoleBinding
metadata:
namespace: nsone
name: userone-clusterone-admin
role:
name: cluster-admin
user:
name: userone-f150d839
cluster:
name: clusterone
legacy: false
legacyRole: “”
external: false