Manage user roles through the Container Cloud web UI¶
If you are assigned the
global-admin role, you can manage the
IAM*RoleBinding objects through the Container Cloud web UI. The possibility
to manage project role bindings using the
operator role will become
available in one of the following Container Cloud releases.
To add or remove a role binding using the Container Cloud web UI:
Log in to the Container Cloud web UI as
In the left-side navigation panel, click Users to open the active users list and view the number and types of bindings for each user. Click on a user name to open the details page with the user Role Bindings.
Select from the following options:
To add a new binding:
Click Create Role Binding.
In the window that opens, configure the following fields:
Manage all types of role bindings for all users
Manage bare metal hosts of a particular namespace
Manage Container Cloud API and Ceph-related objects in a particular project, create clusters and machines, have full access to Kubernetes clusters and StackLight APIs deployed by anyone in this project
Manage role bindings in the current namespace for users who require the
Manage infrastructure of a particular project with access to live statuses of the project cluster machines to monitor cluster health
Have admin access to Kubernetes clusters and StackLight components of a particular cluster and project
Have admin access to the StackLight components of a particular Kubernetes cluster deployed in a particular project to monitor the cluster health.
Bind a role globally, not limited to a specific project or cluster. By default,
global-adminhas the global binding type.
You can bind any role globally. For example, you can change the default project binding of the
operatorrole to apply this role globally, to all existing and new projects.
Bind a role to a specific project. If selected, also define the Project name that the binding is assigned to.
By default, the following IAM roles have the project binding type:
user. You can bind any role to a project except the
Bind a role to a specific cluster. If selected, also define the Project and Cluster name that the binding is assigned to. You can bind only the
stacklight-adminroles to a cluster.
To remove a binding, click the Delete action icon located in the last column of the required role binding.
Bindings that have the
externalflag set to
truewill be synced back from Keycloak during the next
user-controllerreconciliation. Therefore, manage such bindings through Keycloak.