Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!
Starting with MOSK 25.2, the MOSK documentation set will cover all product layers, including MOSK management (formerly MCC). This means everything you need will be in one place. The separate MCC documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.
Manage user roles through Keycloak¶
Note
Since Container Cloud 2.14.0 (Cluster releases 7.4.0, 6.20.0, and 5.21.0):
User roles management is available through the Container Cloud API and web UI.
User management for the
m:os
roles is not yet available through API or web UI. Therefore, continue managing these roles using Keycloak.Role names have been updated. For details, see Mapping of Keycloak roles to IAM*RoleBinding objects.
Mirantis Container Cloud creates the IAM roles in scopes.
For each application type, such as kaas
, k8s
, or sl
,
Container Cloud creates a set of roles such as @admin
, @cluster-admin
,
@reader
, @writer
, @operator
.
Depending on the role, you can perform specific operations in a cluster. For example:
With the
m:kaas@writer
role, you can create a project using the Container Cloud web UI. The corresponding project-specific roles will be automatically created in Keycloak byiam-controller
.With the
m:kaas*
roles, you can download thekubeconfig
of the management cluster.
The semantic structure of role naming in MOSK is as follows:
m:<appType>:<namespaceName>:<clusterName>@<roleName>
Element |
Description |
---|---|
|
Prefix for all IAM roles in MOSK |
|
Application type:
|
|
Namespace name that is optional depending on the application type |
|
Managed cluster name that is optional depending on the application type |
|
Delimiter between a scope and role |
|
Short name of a role within a scope |
This section outlines the IAM roles and scopes structure in MOSK and role assignment to users using the Keycloak Admin Console.
See also