Container Cloud roles and scopes¶

The Container Cloud roles can have three types of scopes:

Types of Container Cloud scopes¶
Scope	Application type	Components	Example
Global	`kaas`	`m` `<appType>`	`m:kaas@writer` This scope applies to all managed clusters and namespaces.
Namespace	`kaas`	`m` `<appType>` `<namespaceName>`	`m:kaas:my_namespace@writer`
Cluster	`k8s` `sl`	`m` `<appType>` `<namespaceName>` `<clusterName>`	`m:k8s:my_namespace:my_cluster@cluster-admin`

Old-style roles¶

Not recommended

Users with the m:kaas@writer role are considered global Container Cloud administrators. They can create the Container Cloud projects that are Kubernetes namespaces in the management cluster. After a project is created, the m:kaas:<namespaceName>@writer and m:kaas:<namespaceName>@reader roles are created in Keycloak by iam-controller. These roles are automatically included into the corresponding global roles, such as m:kaas@writer, so that users with the global-scoped role also obtain the rights provided by the namespace-scoped roles. The global role m:kaas@operator provides full access to bare metal objects.

When a managed cluster is created, roles for the sl and k8s applications are created:

m:k8s:<namespaceName>:<clusterName>@cluster-admin (also applies to new-style roles, recommended)
m:sl:<namespaceName>:<clusterName>@admin

These roles provide access to the corresponding resources in a managed cluster and are included into the corresponding m:kaas:<namespaceName>@writer role.

New-style roles¶

Recommended

Since Container Cloud 2.14.0, new-style roles were introduced. They can be assigned to users through Keycloak directly as well as by using IAM API objects. Mirantis recommends using IAM API for roles assignment.

Users with the m:kaas@global-admin role can create Container Cloud projects, which are Kubernetes namespaces in a management cluster, and all IAM API objects that manage users access to Container Cloud. After project creation, iam-controller creates the following roles in Keycloak:

m:kaas:<namespaceName>@operator
Provides the same permissions as m:kaas:<namespaceName>@writer
m:kaas:<namespaceName>@bm-pool-operator
Provides the same permissions as m:kaas@operator but restricted to a single namespace
m:kaas:<namespaceName>@user
Provides the same permissions as m:kaas:<namespaceName>@reader
m:kaas:<namespaceName>@member
Provides the same permissions as m:kaas:<namespaceName>@operator except for IAM API access

The old-style m:k8s:<namespaceName>:<clusterName>@cluster-admin role is unchanged in the new-style format and is recommended for usage.

When a managed cluster is created, a new role m:sl:<namespaceName>:<clusterName>@stacklight-admin for the sl application is created. This role provides the same access to the StackLight resources in the managed cluster as m:sl:<namespaceName>:<clusterName>@admin and is included into the corresponding m:k8s:<namespaceName>:<clusterName>@cluster-admin role.

Detailed role descriptions¶

The following tables include the Container Cloud scopes and their roles descriptions by three application types:

Container Cloud
Kubernetes
StackLight

Container Cloud¶
Scope identifier	Short role name	Full role name	Role description
`m:kaas`	`reader`	`m:kaas@reader` 0	List the API resources within the Container Cloud scope.
	`writer`	`m:kaas@writer` 0	Create, update, or delete the API resources within the Container Cloud scope. Create projects.
	`operator`	`m:kaas@operator` 0	Add or delete a bare metal host within the Container Cloud scope.
	`global-admin`	`m:kaas@global-admin` 0	Create, update, or delete the IAM API resources within the Container Cloud scope. Create projects.
`m:kaas:<namespaceName>`	`reader`	`m:kaas:<namespaceName>@reader`	List the API resources within the specified Container Cloud project.
	`writer`	`m:kaas:<namespaceName>@writer`	Create, update, or delete the API resources within the specified Container Cloud project.
	`user`	`m:kaas:<namespaceName>@user`	List the API resources within the specified Container Cloud project.
	`operator`	`m:kaas:<namespaceName>@operator`	Create, update, or delete the API resources within the specified Container Cloud project.
	`bm-pool-operator`	`m:kaas:<namespaceName>@bm-pool-operator`	Add or delete a bare metal host within the specified Container Cloud project.

0(1,2,3,4): Role is available by default. Other roles will be added during a managed cluster deployment or project creation.

Kubernetes¶
Scope identifier	Short role name	Full role name	Role description
`m:k8s:<namespaceName>:<clusterName>`	`cluster-admin`	`m:k8s:<namespaceName>:<clusterName>@cluster-admin`	Allow the superuser to perform any action on any resource in the specified cluster.

StackLight¶
Scope identifier	Short role name	Full role name	Role description
`m:sl:<namespaceName>:<clusterName>`	`admin`	`m:sl:$<namespaceName>:<clusterName>@admin`	Access the following web UIs within the scope: Alerta Alertmanager Grafana OpenSearch Dashboards Prometheus
	`stacklight-admin`	`m:sl:$<namespaceName>:<clusterName>@stacklight-admin`	Access the following web UIs within the scope: Alerta Alertmanager Grafana OpenSearch Dashboards Prometheus