Container Cloud roles and scopes

The Container Cloud roles can have three types of scopes:

Types of Container Cloud scopes

Scope

Application type

Components

Example

Global

kaas

  • m

  • <appType>

m:kaas@writer

This scope applies to all managed clusters and namespaces.

Namespace

kaas

  • m

  • <appType>

  • <namespaceName>

m:kaas:my_namespace@writer

Cluster

  • k8s

  • sl

  • m

  • <appType>

  • <namespaceName>

  • <clusterName>

m:k8s:my_namespace:my_cluster@cluster-admin


Users with the m:kaas@writer role are considered global Container Cloud administrators. They can create the Container Cloud projects that are Kubernetes namespaces in the management cluster. After a project is created, the m:kaas:<namespaceName>@writer and m:kaas:<namespaceName>@reader roles are created in Keycloak by iam-controller. These roles are automatically included into the corresponding global roles, such as m:kaas@writer, so that users with the global-scoped role also obtain the rights provided by the namespace-scoped roles. The operator role exists only globally.

When a managed cluster is created, roles for the sl and k8s applications are created:

  • m:k8s:<namespaceName>:<clusterName>@cluster-admin

  • m:sl:<namespaceName>:<clusterName>@admin

These roles provide access to the corresponding resources in the managed cluster and are included into the corresponding m:kaas:<namespaceName>@writer role.

The following tables include the Container Cloud scopes and their roles descriptions by three application types:

Container Cloud

Scope identifier

Short role name

Full role name

Role description

m:kaas

reader

m:kaas@reader 0

List the API resources within the Container Cloud scope.

writer

m:kaas@writer 0

Create, update, or delete the API resources within the Container Cloud scope. Create projects.

operator

m:kaas@operator 0

Add or delete a bare metal host within the Container Cloud scope.

m:kaas:<namespaceName>

reader

m:kaas:<namespaceName>@reader

List the API resources within the specified Container Cloud project.

writer

m:kaas:<namespaceName>@writer

Create, update, or delete the API resources within the specified Container Cloud project.

0(1,2,3)

Role is available by default. Other roles will be added during a managed cluster deployment or project creation.

Kubernetes

Scope identifier

Short role name

Full role name

Role description

m:k8s:<namespaceName>:<clusterName>

cluster-admin

m:k8s:<namespaceName>:<clusterName>@cluster-admin

Allow the superuser to perform any action on any resource in the specified cluster.

StackLight

Scope identifier

Short role name

Full role name

Role description

m:sl:<namespaceName>:<clusterName>

admin

m:sl:$<namespaceName>:<clusterName>@admin

Access the following web UIs within the scope:

  • Alerta

  • Alertmanager

  • Grafana

  • Kibana

  • Prometheus