Available IAM roles and use cases

This section describes IAM roles and access rights they provide with possible use cases.

IAM roles

The following table illustrates the IAM roles available in Container Cloud and read/write or read-only permissions for specific project and cluster operations:

Roles

global-admin

bm-pool-operator

operator

user

member

cluster-admin

stacklight-admin

Scope

Global

Namespace

Namespace

Namespace

Namespace

Cluster

Cluster

User Role
Management API

r/w

-

r/w

r/o

-

-

-

Create BM hosts

-

r/w

-

-

-

-

-

Ceph objects

-

-

r/w

-

r/w

-

-

Projects (Kubernetes namespaces)

r/w

r/o

r/o

r/o

r/o

-

-

Container Cloud API

-

-

r/w

r/o

r/w

-

-

Kubernetes API (managed cluster)

-

-

r/w

-

r/w

r/w

-

StackLight UI/API (managed cluster)

-

-

r/w

-

r/w

r/w

r/w

Role use cases

The following table illustrates possible role use cases for a better understanding on which roles should be assigned to users who perform particular operations in a Container Cloud cluster:

Role

Use case

kind: IAMGlobalRoleBinding
metadata:
  name: mybinding-ga
role:
  name: global-admin
user:
  name: myuser-1943c384

Infrastructure Operator with the global-admin role who performs the following operations:

  • Can manage all types of role bindings for all users

  • Performs CRUD operations on namespaces to effectively manage Container Cloud projects (Kubernetes namespaces)

  • Creates a new project when onboarding a new team to Container Cloud

  • Assigns the operator role to users who are going to create Kubernetes clusters in a project

  • Can assign the user or operator role for themselves to monitor cluster state in a specific namespace or manage Container Cloud API objects in that namespace respectively.

kind: IAMRoleBinding
metadata:
  name: mybinding-bm
  namespace: mynamespace
role:
  name: bm-pool-operator
user:
  name: myuser-1943c384

Infrastructure Operator with the bm-pool-operator role who only manages bare metal hosts of a particular namespace.

kind: IAMRoleBinding
metadata:
  name: mybinding-op
  namespace: mynamespace
role:
  name: operator
user:
  name: myuser-1943c384

Infrastructure Operator with the operator role who performs the following operations:

  • Can manage Container Cloud API and Ceph-related objects in a particular namespace, create clusters and machines, have full access to Kubernetes clusters and StackLight APIs deployed by anyone in this namespace

  • Can manage role bindings in the current namespace for users who require the bm-pool-operator, operator, or user role, or who should manage a particular Kubernetes cluster in this namespace

  • Is responsible for upgrading Kubernetes clusters in the defined project when an update is available

kind: IAMRoleBinding
metadata:
  name: mybinding-us
  namespace: mynamespace
role:
  name: user
user:
  name: myuser-1943c384

Infrastructure support Operator with the user role who performs the following operations:

  • Is responsible for the infrastructure of a particular project

  • Has access to live statuses of the project cluster machines to identify unhealthy ones and perform maintenance on the infrastructure level with the possibility to adjust operating system if required

  • Has access to IAM objects such as IAMUser, IAMRole

kind: IAMRoleBinding
metadata:
  name: mybinding-me
  namespace: mynamespace
role:
  name: member
user:
  name: myuser-1943c384

Infrastructure support Operator with the member role who has read and write access to Container Cloud API and does not have access to IAM objects.

kind: IAMClusterRoleBinding
metadata:
  name: mybinding-ca
  namespace: mynamespace
role:
  name: cluster-admin
user:
  name: myuser-1943c384
cluster:
  name: mycluster

User with the cluster-admin role who performs the following operations:

  • Has admin access to a Kubernetes cluster deployed in a particular namespace

  • Has admin access to the StackLight components of the cluster to monitor it

kind: IAMClusterRoleBinding
metadata:
  name: mybinding-sa
  namespace: mynamespace
role:
  name: stacklight-admin
user:
  name: myuser-1943c384
cluster:
  name: mycluster

User with the stacklight-admin role who performs the following operations:

  • Has the admin-level access to the StackLight components of a particular Kubernetes cluster deployed in a particular namespace to monitor the cluster health.