Manage user roles through Keycloak

Note

Starting from Container Cloud 2.14.0:

• User roles management is available through the Container Cloud API and web UI.

• User management for the m:os roles is not yet available through API or web UI. Therefore, continue managing these roles using Keycloak.

• Role names have been updated. For details, see Mapping of Keycloak roles to IAM*RoleBinding objects.

Mirantis Container Cloud creates the IAM roles in scopes. For each application type, such as kaas, k8s, or sl, Container Cloud creates a set of roles such as @admin, @cluster-admin, @reader, @writer, @operator.

Depending on the role, you can perform specific operations in a Container Cloud cluster. For example:

• With the m:kaas@writer role, you can create a project using the Container Cloud web UI. The corresponding project-specific roles will be automatically created in Keycloak by iam-controller.

• With the m:kaas* roles, you can download the kubeconfig of the management cluster.

The semantic structure of role naming in Container Cloud is as follows:

m:<appType>:<namespaceName>:<clusterName>@<roleName>

Role naming semantic structure

Element	Description
m	Prefix for all IAM roles in Container Cloud
<appType>	Application type: kaas for the management cluster and Container Cloud API k8s for the managed cluster sl for StackLight
<namespaceName>	Namespace name, is optional depending on the application type
<clusterName>	Managed cluster name, is optional depending on the application type
@	Delimiter between a scope and role
<roleName>	Short name of a role within a scope

This section outlines the IAM roles and scopes structure in Container Cloud and role assignment to users using the Keycloak Admin Console.

• Container Cloud roles and scopes
  • Old-style roles
  • New-style roles
  • Detailed role descriptions
• Use cases
• Access the Keycloak Admin Console
  • Obtain access credentials using the Container Cloud CLI
  • Obtain access credentials using kubectl