Manage user roles through the Container Cloud web UI NEW

Available since 2.14.0

If you are assigned the global-admin role, you can manage the IAM*RoleBinding objects through the Container Cloud web UI. The possibility to manage project role bindings using the operator role will become available in one of the following Container Cloud releases.

To add or remove a role binding using the Container Cloud web UI:

  1. Log in to the Container Cloud web UI as global-admin.

  2. In the left-side navigation panel, click Users to open the active users list and view the number and types of bindings for each user. Click on a user name to open the details page with the user Role Bindings.

  3. Select from the following options:

    • To add a new binding:

      1. Click Create Role Binding.

      2. In the window that opens, configure the following fields:

        Parameter

        Description

        Role

        • global-admin

          Manage all types of role bindings for all users

        • bm-pool-operator

          Manage bare metal hosts of a particular namespace

        • operator
          • Manage Container Cloud API and Ceph-related objects in a particular project, create clusters and machines, have full access to Kubernetes clusters and StackLight APIs deployed by anyone in this project

          • Manage role bindings in the current namespace for users who require the bm-pool-operator, operator, or user role

        • user

          Manage infrastructure of a particular project with access to live statuses of the project cluster machines to monitor cluster health

        • cluster-admin

          Have admin access to Kubernetes clusters and StackLight components of a particular cluster and project

        • stacklight-admin

          Have admin access to the StackLight components of a particular Kubernetes cluster deployed in a particular project to monitor the cluster health.

        Binding type

        • Global

          Bind a role globally, not limited to a specific project or cluster. By default, global-admin has the global binding type.

          You can bind any role globally. For example, you can change the default project binding of the operator role to apply this role globally, to all existing and new projects.

        • Project

          Bind a role to a specific project. If selected, also define the Project name that the binding is assigned to.

          By default, the following IAM roles have the project binding type: bm-pool-operator, operator, and user. You can bind any role to a project except the global-admin one.

        • Cluster

          Bind a role to a specific cluster. If selected, also define the Project and Cluster name that the binding is assigned to. You can bind only the cluster-admin and stacklight-admin roles to a cluster.

    • To remove a binding, click the Delete action icon located in the last column of the required role binding.

      Bindings that have the external flag set to true will be synced back from Keycloak during the next user-controller reconciliation. Therefore, manage such bindings through Keycloak.