MOSK roles and scopes

MOSK roles can have three types of scopes:

Types of MOSK scopes

Scope

Application type

Components

Example

Global

kaas

  • m

  • <appType>

m:kaas@writer

This scope applies to all MOSK clusters and namespaces.

Namespace

kaas

  • m

  • <appType>

  • <namespaceName>

m:kaas:my_namespace@writer

Cluster

  • k8s

  • sl

  • m

  • <appType>

  • <namespaceName>

  • <clusterName>

m:k8s:my_namespace:my_cluster@cluster-admin

New-style roles

Recommended

New-style roles can be assigned to users through Keycloak directly as well as by using IAM API objects. Mirantis recommends using IAM API for roles assignment.

Users with the m:kaas@global-admin role can create MOSK projects, which are Kubernetes namespaces in a management cluster, and all IAM API objects that manage users access to MOSK.

Users with the m:kaas@management-admin role have full access to the management cluster.

After project creation, iam-controller creates the following roles in Keycloak:

  • m:kaas:<namespaceName>@operator

    Provides the same permissions as m:kaas:<namespaceName>@writer

  • m:kaas:<namespaceName>@bm-pool-operator

    Provides the same permissions as m:kaas@operator but restricted to a single namespace

  • m:kaas:<namespaceName>@user

    Provides the same permissions as m:kaas:<namespaceName>@reader

  • m:kaas:<namespaceName>@member

    Provides the same permissions as m:kaas:<namespaceName>@operator except for IAM API access

The old-style m:k8s:<namespaceName>:<clusterName>@cluster-admin role is unchanged in the new-style format and is recommended for usage.

When a MOSK cluster is created, a new role m:sl:<namespaceName>:<clusterName>@stacklight-admin for the sl application is created. This role provides the same access to the StackLight resources in the MOSK cluster as m:sl:<namespaceName>:<clusterName>@admin and is included into the corresponding m:k8s:<namespaceName>:<clusterName>@cluster-admin role.

Old-style roles

Not recommended

Users with the m:kaas@writer role are considered global MOSK administrators. They can create MOSK projects that are Kubernetes namespaces in the management cluster. After a project is created, the m:kaas:<namespaceName>@writer and m:kaas:<namespaceName>@reader roles are created in Keycloak by iam-controller. These roles are automatically included into the corresponding global roles, such as m:kaas@writer, so that users with the global-scoped role also obtain the rights provided by the namespace-scoped roles. The global role m:kaas@operator provides full access to bare metal objects.

When a MOSK cluster is created, roles for the sl and k8s applications are created:

  • m:k8s:<namespaceName>:<clusterName>@cluster-admin (also applies to new-style roles, recommended)

  • m:sl:<namespaceName>:<clusterName>@admin

These roles provide access to the corresponding resources in a MOSK cluster and are included into the corresponding m:kaas:<namespaceName>@writer role.

Detailed role descriptions

The following tables include MOSK scopes and descriptions of their roles by three application types:

MOSK management

Scope identifier

Short role name

Full role name

Role description

m:kaas

reader

m:kaas@reader 0

List the API resources within the MOSK management scope.

writer

m:kaas@writer 0

Create, update, or delete the API resources within the MOSK management scope. Create projects.

operator

m:kaas@operator 0

Add or delete a bare metal host and bare metal inventory within the MOSK management scope.

global-admin

m:kaas@global-admin 0

Create, update, or delete the IAM API resources within the MOSK management scope. Create projects.

management-admin

m:kaas@management-admin 0

Have full access to the management cluster.

m:kaas:<namespaceName>

reader

m:kaas:<namespaceName>@reader

List the API resources within the specified MOSK project.

writer

m:kaas:<namespaceName>@writer

Create, update, or delete the API resources within the specified MOSK project.

user

m:kaas:<namespaceName>@user

List the API resources within the specified MOSK project.

operator

m:kaas:<namespaceName>@operator

Create, update, or delete the API resources within the specified MOSK project.

bm-pool-operator

m:kaas:<namespaceName>@bm-pool-operator

Add or delete a bare metal host and bare metal inventory within the specified MOSK project.

member

m:kaas:<namespaceName>@member

Create, update, or delete the API resources within the specified MOSK project, except IAM API.
0(1,2,3,4,5)

Role is available by default. Other roles will be added during a MOSK cluster deployment or project creation.

Kubernetes

Scope identifier

Short role name

Full role name

Role description

m:k8s:<namespaceName>:<clusterName>

cluster-admin

m:k8s:<namespaceName>:<clusterName>@cluster-admin

Allow the superuser to perform any action on any resource in the specified cluster.
StackLight

Scope identifier

Short role name

Full role name

Role description

m:sl:<namespaceName>:<clusterName>

admin

m:sl:$<namespaceName>:<clusterName>@admin

Access the following web UIs within the scope:

  • Alerta

  • Alertmanager

  • Grafana

  • OpenSearch Dashboards

  • Prometheus

stacklight-admin

m:sl:$<namespaceName>:<clusterName>@stacklight-admin

Access the following web UIs within the scope:

  • Alerta

  • Alertmanager

  • Grafana

  • OpenSearch Dashboards

  • Prometheus