Role list

Role list

Mirantis Container Cloud creates the IAM roles in scopes. For each application type, such as iam, k8s, or kaas, Container Cloud creates a scope in Keycloak. And every scope contains a set of roles such as admin, user, viewer. The default IAM roles can be changed during a managed cluster deployment. You can grant or revoke a role access using the IAM CLI. For details, see: IAM CLI.

Example of the structure of a cluster-admin role in a managed cluster:

m:k8s:kaas-tenant-name:k8s-cluster-name@cluster-admin
  • m - prefix for all IAM roles in Container Cloud

  • k8s - application type, Kubernetes

  • kaas-tenant-name:k8s-cluster-name - a managed cluster identifier in Container Cloud (CLUSTER_ID)

  • @ - delimiter between a scope and role

  • cluster-admin - name of the role within the Kubernetes scope


The following tables include the scopes and their roles descriptions by Container Cloud components:

Container Cloud

Scope identifier

Role name

Grant example

Role description

m:kaas

reader

m:kaas@reader 0

List the managed clusters within the Container Cloud scope.

writer

m:kaas@writer 0

Create or delete the managed clusters within the Container Cloud scope.

operator

m:kaas@operator

Add or delete a bare metal host and machine within the Container Cloud scope, create a project.

m:kaas:$<CLUSTER_ID>

reader

m:kaas:$<CLUSTER_ID>@reader

List the managed clusters within the specified Container Cloud cluster ID.

writer

m:kaas:$<CLUSTER_ID>@writer

Create or delete the managed clusters within the specified Container Cloud cluster ID.

0(1,2)

Grant is available by default. Other grants can be added during a management and managed cluster deployment.

Kubernetes

Scope identifier

Role name

Grant example

Role description

m:k8s:<CLUSTER_ID>

cluster-admin

m:k8s:<CLUSTER_ID>@cluster-admin

Allow the super-user access to perform any action on any resource on the cluster level. When used in ClusterRoleBinding, provide full control over every resource in a cluster and all Kubernetes namespaces.

StackLight

Scope identifier

Role name

Grant example

Role description

m:sl:$<CLUSTER_ID> or m:sl:$<CLUSTER_ID>:<SERVICE_NAME>

admin

  • m:sl:$<CLUSTER_ID>@admin

  • m:sl:$<CLUSTER_ID>:alerta@admin

  • m:sl:$<CLUSTER_ID>:alertmngmnt@admin

  • m:sl:$<CLUSTER_ID>:kibana@admin

  • m:sl:$<CLUSTER_ID>:grafana@admin

  • m:sl:$<CLUSTER_ID>:prometheus@admin

Access the specified web UI(s) within the scope.

The m:sl:$<CLUSTER_ID>@admin grant provides access to all StackLight web UIs: Prometheus, Alerta, Alertmanager, Kibana, Grafana.