Manage user roles through Container Cloud API¶
You can manage IAM user role bindings through Container Cloud API. For the API reference of the IAM custom resources, see IAM resources. You can also manage user roles using the Container Cloud web UI.
User management for the Mirantis OpenStack for Kubernetes
m:os roles is not
yet available through API or web UI. Therefore, continue managing these
roles using Keycloak.
You can use the following objects depending on the way you want the role to be assigned to the user:
IAMGlobalRoleBindingfor global role bindings
Any IAM role can be used in
IAMGlobalRoleBindingand will be applied globally, not limited to a specific project or cluster. For example, the
IAMRoleBindingfor project role bindings
Any role except the
global-adminone apply. For example, using the
userIAM roles in
exampleproject corresponds to assigning of
m:kaas:example@operator/userin Keycloak. You can also use these IAM roles in
IAMGlobalRoleBinding. In this case, the roles corresponding to every project will be assigned to a user in Keycloak.
IAMClusterRoleBindingfor cluster role bindings
stacklight-adminroles apply to
IAMClusterRoleBinding. Creation of such objects corresponds to the assignment of
m:k8s:namespace:cluster@cluster-admin/stacklight-adminin Keycloak. You can also bind these roles to either
IAMRoleBinding. In this case, the roles corresponding to all clusters and in all projects or one particular project will be assigned to a user.
This section describes available IAM roles with use cases and the Container
IAM*RoleBinding mapping with Keycloak.