Manage user roles through Keycloak¶
Note
Since Container Cloud 2.14.0 (Cluster releases 7.4.0, 6.20.0, and 5.21.0):
User roles management is available through the Container Cloud API and web UI.
User management for the
m:os
roles is not yet available through API or web UI. Therefore, continue managing these roles using Keycloak.Role names have been updated. For details, see Mapping of Keycloak roles to IAM*RoleBinding objects.
Mirantis Container Cloud creates the IAM roles in scopes.
For each application type, such as kaas
, k8s
, or sl
,
Container Cloud creates a set of roles such as @admin
, @cluster-admin
,
@reader
, @writer
, @operator
.
Depending on the role, you can perform specific operations in a cluster. For example:
With the
m:kaas@writer
role, you can create a project using the Container Cloud web UI. The corresponding project-specific roles will be automatically created in Keycloak byiam-controller
.With the
m:kaas*
roles, you can download thekubeconfig
of the management cluster.
The semantic structure of role naming in MOSK is as follows:
m:<appType>:<namespaceName>:<clusterName>@<roleName>
Element |
Description |
---|---|
|
Prefix for all IAM roles in MOSK |
|
Application type:
|
|
Namespace name that is optional depending on the application type |
|
Managed cluster name that is optional depending on the application type |
|
Delimiter between a scope and role |
|
Short name of a role within a scope |
This section outlines the IAM roles and scopes structure in MOSK and role assignment to users using the Keycloak Admin Console.
See also