Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!

Starting with MOSK 25.2, the MOSK documentation set covers all product layers, including MOSK management (formerly Container Cloud). This means everything you need is in one place. Some legacy names may remain in the code and documentation and will be updated in future releases. The separate Container Cloud documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.

IAMClusterRoleBinding resource

IAMClusterRoleBinding is the namespaced object that represents a grant of one role to one user on one cluster in the namespace. This object is accessible to users that have either of the following bindings assigned to them:

  • IAMGlobalRoleBinding that binds them with the global-admin, operator, or user iamRole. For user, the bindings are read-only.

  • IAMRoleBinding that binds them with the operator or user iamRole in a particular namespace. For user, the bindings are read-only.

The IAMClusterRoleBinding object contains the following fields:

  • apiVersion

    API version of the object that is iam.mirantis.com/v1alpha1.

  • kind

    Object type that is IAMClusterRoleBinding.

  • metadata

    Object metadata that contains the following fields:

    • namespace

      Namespace of the cluster that the defined binding belongs to.

    • name

      Role binding name. If the role is user-created, user can set any unique name. If a name relates to a binding that is synced from Keycloak, the naming convention is <userName>-<roleName>-<clusterName>.

  • role

    Object role that contains the following field:

    • name

      Role name.

  • user

    Object user that contains the following field:

    • name

      Name of the iamuser object that the defined role is granted to. Not equal to the user name in Keycloak.

  • cluster

    Object cluster that contains the following field:

    • name

      Name of the cluster on which the defined role is granted.

  • legacy

    Defines whether the role binding is legacy. Possible values are true or false.

  • legacyRole

    Applicable when the legacy field value is true. Defines the legacy role name in Keycloak.

  • external

    Defines whether the role is assigned through Keycloak and is synced by user-controller with the MOSK API as the IAMGlobalRoleBinding object. Possible values are true or false.

Caution

If you create the IAM*RoleBinding, do not set or modify the legacy, legacyRole, and external fields unless absolutely necessary and you understand all implications.

Configuration example:

apiVersion: iam.mirantis.com/v1alpha1
kind: IAMClusterRoleBinding
metadata:
  namespace: nsone
  name: userone-clusterone-admin
role:
  name: cluster-admin
user:
  name: userone-f150d839
cluster:
  name: clusterone
legacy: false
legacyRole: “”
external: false