Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!

Starting with MOSK 25.2, the MOSK documentation set covers all product layers, including MOSK management (formerly Container Cloud). This means everything you need is in one place. Some legacy names may remain in the code and documentation and will be updated in future releases. The separate Container Cloud documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.

Create initial users after a management cluster bootstrap

Once you bootstrap your management cluster, create Keycloak users for access to the MOSK management console.

Mirantis recommends creating at least two users, user and operator, that are required for a typical MOSK deployment.

Create a user for access to the MOSK management console

./container-cloud bootstrap user add \
    --username <userName> \
    --roles <roleName> \
    --kubeconfig <pathToMgmtKubeconfig>

Note

You will be asked for the user password interactively.

User creation parameters

Flag	Description
--username	Required. Name of the user to create.
--roles	Required. Comma-separated list of roles to assign to the user. If you run the command without the --namespace flag, you can assign the following roles: global-admin - read and write access for global role bindings writer - read and write access reader - view access operator - create and manage access to the BareMetalHost and BareMetalHostInventory (since Container Cloud 2.29.1, Cluster release 16.4.1) objects management-admin - full access to the management cluster, available since Container Cloud 2.25.0 (Cluster release 16.0.0) If you run the command for a specific project using the --namespace flag, you can assign the following roles: operator or writer - read and write access user or reader - view access member - read and write access (excluding IAM objects) bm-pool-operator - create and manage access to the BareMetalHost and BareMetalHostInventory (since Container Cloud 2.29.1, Cluster release 16.4.1) objects
--kubeconfig	Required. Path to the management cluster kubeconfig generated during the management cluster bootstrap.
--namespace	Optional. Name of the MOSK management project where the user will be created. If not set, a global user will be created for all MOSK management projects with the corresponding role access to view or manage all public objects.
--password-stdin	Optional. Flag to provide the user password through stdin: echo '$PASSWORD' | ./container-cloud bootstrap user add \ --username <userName> \ --roles <roleName> \ --kubeconfig <pathToMgmtKubeconfig> \ --password-stdin

Add several roles to one user

To add several roles of one level to one user, use a comma. For example:

./container-cloud bootstrap user add --username test --roles reader,global-admin

The command above applies the m:kaas@reader and m:kaas@global-admin roles to the user.

If one of roles must be namespaced, for example, to create m:kaas:default@reader and m:kaas@global-admin, use the Keycloak Admin Console or IAM API directly by creating IAMRoleBinding or IAMGlobalRoleBinding. For more information, see:

• Manage user roles through the MOSK management API

• Access the Keycloak Admin Console

• Keycloak documentation: Managing users

Note

Adding several roles of different levels to one user is not supported during creation of initial users.

Delete a user

To delete a user, run the following command:

./container-cloud bootstrap user delete --username <userName> --kubeconfig <pathToMgmtKubeconfig>