Available IAM roles and use cases¶
This section describes IAM roles and access rights they provide with possible use cases.
IAM roles¶
The following table illustrates the IAM roles available in MOSK and read/write or read-only permissions for specific project and cluster operations:
Roles |
global-admin |
management-admin |
bm-pool-operator |
operator |
user |
member |
cluster-admin |
stacklight-admin |
---|---|---|---|---|---|---|---|---|
Scope |
Global |
Global |
Namespace |
Namespace |
Namespace |
Namespace |
Cluster |
Cluster |
User Role
Management API
|
r/w |
r/w |
- |
r/w |
r/o |
- |
- |
- |
Create BM hosts |
- |
r/w |
r/w |
- |
- |
- |
- |
- |
Ceph objects |
- |
r/w |
- |
r/w |
- |
r/w |
- |
- |
Projects (Kubernetes namespaces) |
r/w |
r/w |
r/o |
r/o |
r/o |
r/o |
- |
- |
Container Cloud API |
- |
r/w |
- |
r/w |
r/o |
r/w |
- |
- |
Kubernetes API (managed cluster) |
- |
- |
- |
r/w |
- |
r/w |
r/w |
- |
StackLight UI/API (managed cluster) |
- |
- |
- |
r/w |
- |
r/w |
r/w |
r/w |
Role use cases¶
The following table illustrates possible role use cases for a better understanding on which roles should be assigned to users who perform particular operations in a MOSK cluster:
Role |
Use case |
---|---|
kind: IAMGlobalRoleBinding
metadata:
name: mybinding-ga
role:
name: global-admin
user:
name: myuser-1943c384
|
Infrastructure operator with the
|
kind: IAMGlobalRoleBinding
metadata:
name: mybinding-ma
role:
name: management-admin
user:
name: myuser-1943c384
|
Available since Container Cloud 2.25.0 (Cluster releases 17.0.0 and
16.0.0).
Infrastructure operator with the |
kind: IAMRoleBinding
metadata:
name: mybinding-bm
namespace: mynamespace
role:
name: bm-pool-operator
user:
name: myuser-1943c384
|
Infrastructure operator with the |
kind: IAMRoleBinding
metadata:
name: mybinding-op
namespace: mynamespace
role:
name: operator
user:
name: myuser-1943c384
|
Infrastructure operator with the
|
kind: IAMRoleBinding
metadata:
name: mybinding-us
namespace: mynamespace
role:
name: user
user:
name: myuser-1943c384
|
Infrastructure support operator with the
|
kind: IAMRoleBinding
metadata:
name: mybinding-me
namespace: mynamespace
role:
name: member
user:
name: myuser-1943c384
|
Infrastructure support operator with the |
kind: IAMClusterRoleBinding
metadata:
name: mybinding-ca
namespace: mynamespace
role:
name: cluster-admin
user:
name: myuser-1943c384
cluster:
name: mycluster
|
User with the
|
kind: IAMClusterRoleBinding
metadata:
name: mybinding-sa
namespace: mynamespace
role:
name: stacklight-admin
user:
name: myuser-1943c384
cluster:
name: mycluster
|
User with the
|