Mirantis Container Cloud creates the IAM roles in scopes.
For each application type, such as iam
, k8s
, or kaas
,
Container Cloud creates a scope in Keycloak.
And every scope contains a set of roles such as admin
, user
,
viewer
. The default IAM roles can be changed during a managed cluster
deployment. You can grant or revoke a role access using the IAM CLI.
For details, see: IAM CLI.
Example of the structure of a cluster-admin
role in a managed cluster:
m:k8s:kaas-tenant-name:k8s-cluster-name@cluster-admin
m
- prefix for all IAM roles in Container Cloud
k8s
- application type, Kubernetes
kaas-tenant-name:k8s-cluster-name
- a managed cluster identifier
in Container Cloud (CLUSTER_ID
)
@
- delimiter between a scope and role
cluster-admin
- name of the role within the Kubernetes scope
The following tables include the scopes and their roles descriptions by Container Cloud components:
Scope identifier |
Role name |
Grant example |
Role description |
---|---|---|---|
|
|
|
List the managed clusters within the Container Cloud scope. |
|
|
Create or delete the managed clusters within the Container Cloud scope. |
|
|
|
Add or delete a bare metal host and machine within the Container Cloud scope, create a project. |
|
|
|
|
List the managed clusters within the specified Container Cloud cluster ID. |
|
|
Create or delete the managed clusters within the specified Container Cloud cluster ID. |
Grant is available by default. Other grants can be added during a management and managed cluster deployment.
Scope identifier |
Role name |
Grant example |
Role description |
---|---|---|---|
|
|
|
Allow the super-user access to perform any action on any resource
on the cluster level.
When used in |
Scope identifier |
Role name |
Grant example |
Role description |
---|---|---|---|
|
|
|
Access the specified web UI(s) within the scope. The |