Container Cloud roles and scopes¶
The Container Cloud roles can have three types of scopes:
Scope |
Application type |
Components |
Example |
---|---|---|---|
Global |
|
|
This scope applies to all managed clusters and namespaces. |
Namespace |
|
|
|
Cluster |
|
|
|
Old-style roles¶
Not recommended
Users with the m:kaas@writer
role are considered global Container Cloud
administrators. They can create the Container Cloud projects that are
Kubernetes namespaces in the management cluster. After a project is created,
the m:kaas:<namespaceName>@writer
and m:kaas:<namespaceName>@reader
roles are created in Keycloak by iam-controller
.
These roles are automatically included into the corresponding global roles,
such as m:kaas@writer
, so that users with the global-scoped role also
obtain the rights provided by the namespace-scoped roles. The global role
m:kaas@operator
provides full access to bare metal objects.
When a managed cluster is created, roles for the sl
and k8s
applications are created:
m:k8s:<namespaceName>:<clusterName>@cluster-admin
(also applies to new-style roles, recommended)m:sl:<namespaceName>:<clusterName>@admin
These roles provide access to the corresponding resources in a managed cluster
and are included into the corresponding m:kaas:<namespaceName>@writer
role.
New-style roles¶
Recommended
Since Container Cloud 2.14.0, new-style roles were introduced. They can be assigned to users through Keycloak directly as well as by using IAM API objects. Mirantis recommends using IAM API for roles assignment.
Users with the m:kaas@global-admin
role can create Container Cloud
projects, which are Kubernetes namespaces in a management cluster, and all
IAM API objects that manage users access to Container Cloud.
Users with the m:kaas@management-admin
role have full access to the
Container Cloud management cluster. This role is available since Container
Cloud 2.25.0 (Cluster releases 17.0.0, 16.0.0, 14.1.0).
After project creation, iam-controller
creates the following roles in
Keycloak:
m:kaas:<namespaceName>@operator
Provides the same permissions as
m:kaas:<namespaceName>@writer
m:kaas:<namespaceName>@bm-pool-operator
Provides the same permissions as
m:kaas@operator
but restricted to a single namespace
m:kaas:<namespaceName>@user
Provides the same permissions as
m:kaas:<namespaceName>@reader
m:kaas:<namespaceName>@member
Provides the same permissions as
m:kaas:<namespaceName>@operator
except for IAM API access
The old-style m:k8s:<namespaceName>:<clusterName>@cluster-admin
role is
unchanged in the new-style format and is recommended for usage.
When a managed cluster is created, a new role
m:sl:<namespaceName>:<clusterName>@stacklight-admin
for the sl
application is created. This role provides the same access to the StackLight
resources in the managed cluster as
m:sl:<namespaceName>:<clusterName>@admin
and is included into the
corresponding m:k8s:<namespaceName>:<clusterName>@cluster-admin
role.
Detailed role descriptions¶
The following tables include the Container Cloud scopes and their roles descriptions by three application types:
Scope identifier |
Short role name |
Full role name |
Role description |
---|---|---|---|
|
|
|
List the API resources within the Container Cloud scope. |
|
|
Create, update, or delete the API resources within the Container Cloud scope. Create projects. |
|
|
|
Add or delete a bare metal host within the Container Cloud scope. |
|
|
|
Create, update, or delete the IAM API resources within the Container Cloud scope. Create projects. |
|
|
|
Have full access to the management cluster. Available since Container Cloud 2.25.0 (Cluster releases 17.0.0, 16.0.0, 14.1.0). |
|
|
|
|
List the API resources within the specified Container Cloud project. |
|
|
Create, update, or delete the API resources within the specified Container Cloud project. |
|
|
|
List the API resources within the specified Container Cloud project. |
|
|
|
Create, update, or delete the API resources within the specified Container Cloud project. |
|
|
|
Add or delete a bare metal host within the specified Container Cloud project. |
- 0(1,2,3,4,5)
Role is available by default. Other roles will be added during a managed cluster deployment or project creation.
Scope identifier |
Short role name |
Full role name |
Role description |
---|---|---|---|
|
|
|
Allow the superuser to perform any action on any resource in the specified cluster. |
Scope identifier |
Short role name |
Full role name |
Role description |
---|---|---|---|
|
|
|
Access the following web UIs within the scope:
|
|
|
Access the following web UIs within the scope:
|