Mirantis Container Cloud creates the IAM roles in scopes.
For each application type, such as iam, k8s, or kaas,
Container Cloud creates a scope in Keycloak.
And every scope contains a set of roles such as admin, user,
viewer. The default IAM roles can be changed during a managed cluster
deployment. You can grant or revoke a role access using the IAM CLI.
For details, see: IAM CLI.
Example of the structure of a cluster-admin role in a managed cluster:
m:k8s:kaas-tenant-name:k8s-cluster-name@cluster-admin
m - prefix for all IAM roles in Container Cloud
k8s - application type, Kubernetes
kaas-tenant-name:k8s-cluster-name - a managed cluster identifier
in Container Cloud (CLUSTER_ID)
@ - delimiter between a scope and role
cluster-admin - name of the role within the Kubernetes scope
The following tables include the scopes and their roles descriptions by Container Cloud components:
Scope identifier |
Role name |
Grant example |
Role description |
|---|---|---|---|
|
|
|
List the managed clusters within the Container Cloud scope. |
|
|
Create or delete the managed clusters within the Container Cloud scope. |
|
|
|
Add or delete a bare metal host and machine within the Container Cloud scope, create a project. |
|
|
|
|
List the managed clusters within the specified Container Cloud cluster ID. |
|
|
Create or delete the managed clusters within the specified Container Cloud cluster ID. |
Grant is available by default. Other grants can be added during a management and managed cluster deployment.
Scope identifier |
Role name |
Grant example |
Role description |
|---|---|---|---|
|
|
|
Allow the super-user access to perform any action on any resource
on the cluster level.
When used in |
Scope identifier |
Role name |
Grant example |
Role description |
|---|---|---|---|
|
|
|
Access the specified web UI(s) within the scope. The |