Container Cloud roles and scopes

The Container Cloud roles can have three types of scopes:

Types of Container Cloud scopes

Scope

Application type

Components

Example

Global

kaas

  • m

  • <appType>

m:kaas@writer

This scope applies to all managed clusters and namespaces.

Namespace

kaas

  • m

  • <appType>

  • <namespaceName>

m:kaas:my_namespace@writer

Cluster

  • k8s

  • sl

  • m

  • <appType>

  • <namespaceName>

  • <clusterName>

m:k8s:my_namespace:my_cluster@cluster-admin


Old-style roles

Not recommended

Users with the m:kaas@writer role are considered global Container Cloud administrators. They can create the Container Cloud projects that are Kubernetes namespaces in the management cluster. After a project is created, the m:kaas:<namespaceName>@writer and m:kaas:<namespaceName>@reader roles are created in Keycloak by iam-controller. These roles are automatically included into the corresponding global roles, such as m:kaas@writer, so that users with the global-scoped role also obtain the rights provided by the namespace-scoped roles. The global role m:kaas@operator provides full access to bare metal objects.

When a managed cluster is created, roles for the sl and k8s applications are created:

  • m:k8s:<namespaceName>:<clusterName>@cluster-admin (also applies to new-style roles, recommended)

  • m:sl:<namespaceName>:<clusterName>@admin

These roles provide access to the corresponding resources in a managed cluster and are included into the corresponding m:kaas:<namespaceName>@writer role.

New-style roles

Recommended

Since Container Cloud 2.14.0, new-style roles were introduced. They can be assigned to users through Keycloak directly as well as by using IAM API objects. Mirantis recommends using IAM API for roles assignment.

Users with the m:kaas@global-admin role can create Container Cloud projects, which are Kubernetes namespaces in a management cluster, and all IAM API objects that manage users access to Container Cloud.

Users with the m:kaas@management-admin role have full access to the Container Cloud management cluster. This role is available since Container Cloud 2.25.0 (Cluster releases 17.0.0, 16.0.0, 14.1.0).

After project creation, iam-controller creates the following roles in Keycloak:

  • m:kaas:<namespaceName>@operator

    Provides the same permissions as m:kaas:<namespaceName>@writer

  • m:kaas:<namespaceName>@bm-pool-operator

    Provides the same permissions as m:kaas@operator but restricted to a single namespace

  • m:kaas:<namespaceName>@user

    Provides the same permissions as m:kaas:<namespaceName>@reader

  • m:kaas:<namespaceName>@member

    Provides the same permissions as m:kaas:<namespaceName>@operator except for IAM API access

The old-style m:k8s:<namespaceName>:<clusterName>@cluster-admin role is unchanged in the new-style format and is recommended for usage.

When a managed cluster is created, a new role m:sl:<namespaceName>:<clusterName>@stacklight-admin for the sl application is created. This role provides the same access to the StackLight resources in the managed cluster as m:sl:<namespaceName>:<clusterName>@admin and is included into the corresponding m:k8s:<namespaceName>:<clusterName>@cluster-admin role.

Detailed role descriptions

The following tables include the Container Cloud scopes and their roles descriptions by three application types:

Container Cloud

Scope identifier

Short role name

Full role name

Role description

m:kaas

reader

m:kaas@reader 0

List the API resources within the Container Cloud scope.

writer

m:kaas@writer 0

Create, update, or delete the API resources within the Container Cloud scope. Create projects.

operator

m:kaas@operator 0

Add or delete a bare metal host within the Container Cloud scope.

global-admin

m:kaas@global-admin 0

Create, update, or delete the IAM API resources within the Container Cloud scope. Create projects.

management-admin

m:kaas@management-admin 0

Have full access to the management cluster. Available since Container Cloud 2.25.0 (Cluster releases 17.0.0, 16.0.0, 14.1.0).

m:kaas:<namespaceName>

reader

m:kaas:<namespaceName>@reader

List the API resources within the specified Container Cloud project.

writer

m:kaas:<namespaceName>@writer

Create, update, or delete the API resources within the specified Container Cloud project.

user

m:kaas:<namespaceName>@user

List the API resources within the specified Container Cloud project.

operator

m:kaas:<namespaceName>@operator

Create, update, or delete the API resources within the specified Container Cloud project.

bm-pool-operator

m:kaas:<namespaceName>@bm-pool-operator

Add or delete a bare metal host within the specified Container Cloud project.

0(1,2,3,4,5)

Role is available by default. Other roles will be added during a managed cluster deployment or project creation.

Kubernetes

Scope identifier

Short role name

Full role name

Role description

m:k8s:<namespaceName>:<clusterName>

cluster-admin

m:k8s:<namespaceName>:<clusterName>@cluster-admin

Allow the superuser to perform any action on any resource in the specified cluster.

StackLight

Scope identifier

Short role name

Full role name

Role description

m:sl:<namespaceName>:<clusterName>

admin

m:sl:$<namespaceName>:<clusterName>@admin

Access the following web UIs within the scope:

  • Alerta

  • Alertmanager

  • Grafana

  • OpenSearch Dashboards

  • Prometheus

stacklight-admin

m:sl:$<namespaceName>:<clusterName>@stacklight-admin

Access the following web UIs within the scope:

  • Alerta

  • Alertmanager

  • Grafana

  • OpenSearch Dashboards

  • Prometheus