Manage user roles through Keycloak¶
Note
Starting from Container Cloud 2.14.0:
User roles management is available through the Container Cloud API and web UI.
User management for the
m:os
roles is not yet available through API or web UI. Therefore, continue managing these roles using Keycloak.Role names have been updated. For details, see Mapping of Keycloak roles to IAM*RoleBinding objects.
Mirantis Container Cloud creates the IAM roles in scopes.
For each application type, such as kaas
, k8s
, or sl
,
Container Cloud creates a set of roles such as @admin
, @cluster-admin
,
@reader
, @writer
, @operator
.
Depending on the role, you can perform specific operations in a Container Cloud cluster. For example:
With the
m:kaas@writer
role, you can create a project using the Container Cloud web UI. The corresponding project-specific roles will be automatically created in Keycloak byiam-controller
.With the
m:kaas*
roles, you can download thekubeconfig
of the management cluster.
The semantic structure of role naming in Container Cloud is as follows:
m:<appType>:<namespaceName>:<clusterName>@<roleName>
Element |
Description |
---|---|
|
Prefix for all IAM roles in Container Cloud |
|
Application type:
|
|
Namespace name, is optional depending on the application type |
|
Managed cluster name, is optional depending on the application type |
|
Delimiter between a scope and role |
|
Short name of a role within a scope |
This section outlines the IAM roles and scopes structure in Container Cloud and role assignment to users using the Keycloak Admin Console.