Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!
Starting with MOSK 25.2, the MOSK documentation set covers all product layers, including MOSK management (formerly Container Cloud). This means everything you need is in one place. Some legacy names may remain in the code and documentation and will be updated in future releases. The separate Container Cloud documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.
Manage user roles through Keycloak¶
Note
Since Container Cloud 2.14.0 (Cluster releases 7.4.0, 6.20.0, and 5.21.0):
User roles management is available through the MOSK management API and console.
User management for the
m:osroles is not yet available through API or web UI. Therefore, continue managing these roles using Keycloak.Role names have been updated. For details, see Mapping of Keycloak roles to IAM*RoleBinding objects.
MOSK creates the IAM roles in scopes. For each application
type, such as kaas, k8s, or sl, MOSK creates a
set of roles such as @admin, @cluster-admin, @reader, @writer,
@operator.
Depending on the role, you can perform specific operations in a cluster. For example:
With the
m:kaas@writerrole, you can create a project using the MOSK management console. The corresponding project-specific roles will be automatically created in Keycloak byiam-controller.With the
m:kaas*roles, you can download thekubeconfigof the management cluster.
The semantic structure of role naming in MOSK is as follows:
m:<appType>:<namespaceName>:<clusterName>@<roleName>
Element |
Description |
|---|---|
|
Prefix for all IAM roles in MOSK |
|
Application type:
|
|
Namespace name that is optional depending on the application type |
|
MOSK cluster name that is optional depending on the application type |
|
Delimiter between a scope and role |
|
Short name of a role within a scope |
This section outlines the IAM roles and scopes structure in MOSK and role assignment to users using the Keycloak Admin Console.
See also