Manage user roles through Keycloak¶

Note

Since Container Cloud 2.14.0 (Cluster releases 7.4.0, 6.20.0, and 5.21.0):

User roles management is available through the MOSK management API and console.
User management for the m:os roles is not yet available through API or web UI. Therefore, continue managing these roles using Keycloak.
Role names have been updated. For details, see Mapping of Keycloak roles to IAM*RoleBinding objects.

MOSK creates the IAM roles in scopes. For each application type, such as kaas, k8s, or sl, MOSK creates a set of roles such as @admin, @cluster-admin, @reader, @writer, @operator.

Depending on the role, you can perform specific operations in a cluster. For example:

With the m:kaas@writer role, you can create a project using the MOSK management console. The corresponding project-specific roles will be automatically created in Keycloak by iam-controller.
With the m:kaas* roles, you can download the kubeconfig of the management cluster.

The semantic structure of role naming in MOSK is as follows:

m:<appType>:<namespaceName>:<clusterName>@<roleName>

Role naming semantic structure¶
Element	Description
`m`	Prefix for all IAM roles in MOSK
`<appType>`	Application type: `kaas` for a management cluster and MOSK management API `k8s` for a MOSK cluster `sl` for StackLight
`<namespaceName>`	Namespace name that is optional depending on the application type
`<clusterName>`	MOSK cluster name that is optional depending on the application type
`@`	Delimiter between a scope and role
`<roleName>`	Short name of a role within a scope

This section outlines the IAM roles and scopes structure in MOSK and role assignment to users using the Keycloak Admin Console.

No results

An error occurred

Manage user roles through Keycloak¶