Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!
Starting with MOSK 25.2, the MOSK documentation set will cover all product layers, including MOSK management (formerly MCC). This means everything you need will be in one place. The separate MCC documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.
IAMClusterRoleBinding resource¶
IAMClusterRoleBinding
is the namespaced object that represents a grant
of one role to one user on one cluster in the namespace. This object is
accessible to users that have either of the following bindings assigned to
them:
IAMGlobalRoleBinding
that binds them with theglobal-admin
,operator
, oruser
iamRole
. Foruser
, the bindings are read-only.IAMRoleBinding
that binds them with theoperator
oruser
iamRole
in a particular namespace. Foruser
, the bindings are read-only.
The IAMClusterRoleBinding
object contains the following fields:
apiVersion
API version of the object that is
iam.mirantis.com/v1alpha1
.
kind
Object type that is
IAMClusterRoleBinding
.
metadata
Object metadata that contains the following fields:
namespace
Namespace of the cluster that the defined binding belongs to.
name
Role binding name. If the role is user-created, user can set any unique name. If a name relates to a binding that is synced from Keycloak, the naming convention is
<userName>-<roleName>-<clusterName>
.
role
Object role that contains the following field:
name
Role name.
user
Object user that contains the following field:
name
Name of the
iamuser
object that the defined role is granted to. Not equal to the user name in Keycloak.
cluster
Object cluster that contains the following field:
name
Name of the cluster on which the defined role is granted.
legacy
Defines whether the role binding is legacy. Possible values are
true
orfalse
.
legacyRole
Applicable when the
legacy
field value istrue
. Defines the legacy role name in Keycloak.
external
Defines whether the role is assigned through Keycloak and is synced by
user-controller
with the MOSK API as theIAMGlobalRoleBinding
object. Possible values aretrue
orfalse
.
Caution
If you create the IAM*RoleBinding
, do not set or modify
the legacy
, legacyRole
, and external
fields unless absolutely
necessary and you understand all implications.
Configuration example:
apiVersion: iam.mirantis.com/v1alpha1
kind: IAMClusterRoleBinding
metadata:
namespace: nsone
name: userone-clusterone-admin
role:
name: cluster-admin
user:
name: userone-f150d839
cluster:
name: clusterone
legacy: false
legacyRole: “”
external: false