Manage user roles through Keycloak

User roles management is available through the MOSK management API and console. User management for the m:os roles is not yet available through API or management console. Therefore, continue managing these roles using Keycloak.

Note

For details on new-style and old-style role names, see Mapping of Keycloak roles to IAM*RoleBinding objects.

MOSK creates the IAM roles in scopes. For each application type, such as kaas, k8s, or sl, MOSK creates a set of roles such as @admin, @cluster-admin, @reader, @writer, @operator.

Depending on the role, you can perform specific operations in a cluster. For example:

• With the m:kaas@writer role, you can create a project using the MOSK management console. The corresponding project-specific roles will be automatically created in Keycloak by iam-controller.

• With the m:kaas* roles, you can download the kubeconfig of the management cluster.

The semantic structure of role naming in MOSK is as follows:

m:<appType>:<namespaceName>:<clusterName>@<roleName>

Role naming semantic structure

Element	Description
m	Prefix for all IAM roles in MOSK
<appType>	Application type: kaas for a management cluster and MOSK management API k8s for a MOSK cluster sl for StackLight
<namespaceName>	Namespace name that is optional depending on the application type
<clusterName>	MOSK cluster name that is optional depending on the application type
@	Delimiter between a scope and role
<roleName>	Short name of a role within a scope

This section outlines the IAM roles and scopes structure in MOSK and role assignment to users using the Keycloak Admin Console.

• MOSK roles and scopes
  • New-style roles
  • Old-style roles
  • Detailed role descriptions
• Use cases

See also

Access the Keycloak Admin Console