Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!
Starting with MOSK 25.2, the MOSK documentation set covers all product layers, including MOSK management (formerly Container Cloud). This means everything you need is in one place. Some legacy names may remain in the code and documentation and will be updated in future releases. The separate Container Cloud documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.
MOSK roles and scopes¶
MOSK roles can have three types of scopes:
Scope |
Application type |
Components |
Example |
|---|---|---|---|
Global |
|
|
This scope applies to all MOSK clusters and namespaces. |
Namespace |
|
|
|
Cluster |
|
|
|
New-style roles¶
Recommended
Since Container Cloud 2.14.0 (Cluster releases 7.4.0, 6.20.0, 5.21.0), new-style roles were introduced. They can be assigned to users through Keycloak directly as well as by using IAM API objects. Mirantis recommends using IAM API for roles assignment.
Users with the m:kaas@global-admin role can create MOSK
projects, which are Kubernetes namespaces in a management cluster, and all
IAM API objects that manage users access to MOSK.
Users with the m:kaas@management-admin role have full access to the
management cluster. This role is available since Container Cloud 2.25.0
(Cluster releases 17.0.0 and 16.0.0).
After project creation, iam-controller creates the following roles in
Keycloak:
m:kaas:<namespaceName>@operatorProvides the same permissions as
m:kaas:<namespaceName>@writer
m:kaas:<namespaceName>@bm-pool-operatorProvides the same permissions as
m:kaas@operatorbut restricted to a single namespace
m:kaas:<namespaceName>@userProvides the same permissions as
m:kaas:<namespaceName>@reader
m:kaas:<namespaceName>@memberProvides the same permissions as
m:kaas:<namespaceName>@operatorexcept for IAM API access
The old-style m:k8s:<namespaceName>:<clusterName>@cluster-admin role is
unchanged in the new-style format and is recommended for usage.
When a MOSK cluster is created, a new role
m:sl:<namespaceName>:<clusterName>@stacklight-admin for the sl
application is created. This role provides the same access to the StackLight
resources in the MOSK cluster as
m:sl:<namespaceName>:<clusterName>@admin and is included into the
corresponding m:k8s:<namespaceName>:<clusterName>@cluster-admin role.
Old-style roles¶
Not recommended
Users with the m:kaas@writer role are considered global
MOSK administrators. They can create MOSK
projects that are Kubernetes namespaces in the management cluster. After a
project is created, the m:kaas:<namespaceName>@writer and
m:kaas:<namespaceName>@reader roles are created in Keycloak by
iam-controller. These roles are automatically included into the
corresponding global roles, such as m:kaas@writer, so that users with the
global-scoped role also obtain the rights provided by the namespace-scoped
roles. The global role m:kaas@operator provides full access to bare metal
objects.
When a MOSK cluster is created, roles for the sl and
k8s applications are created:
m:k8s:<namespaceName>:<clusterName>@cluster-admin(also applies to new-style roles, recommended)m:sl:<namespaceName>:<clusterName>@admin
These roles provide access to the corresponding resources in a
MOSK cluster and are included into the corresponding
m:kaas:<namespaceName>@writer role.
Detailed role descriptions¶
The following tables include MOSK scopes and descriptions of their roles by three application types:
Scope identifier |
Short role name |
Full role name |
Role description |
|---|---|---|---|
|
|
|
List the API resources within the MOSK management scope. |
|
|
Create, update, or delete the API resources within the MOSK management scope. Create projects. |
|
|
|
Add or delete a bare metal host and, since MOSK management 2.29.1 (Cluster release 16.4.1), bare metal inventory within the MOSK management scope. |
|
|
|
Create, update, or delete the IAM API resources within the MOSK management scope. Create projects. |
|
|
|
Available since Container Cloud 2.25.0 (Cluster releases 17.0.0 and 16.0.0). Have full access to the management cluster. |
|
|
|
|
List the API resources within the specified MOSK project. |
|
|
Create, update, or delete the API resources within the specified MOSK project. |
|
|
|
List the API resources within the specified MOSK project. |
|
|
|
Create, update, or delete the API resources within the specified MOSK project. |
|
|
|
Add or delete a bare metal host and, since MOSK management 2.29.1 (Cluster release 16.4.1), bare metal inventory within the specified MOSK project. |
|
|
|
Create, update, or delete the API resources within the specified MOSK project, except IAM API. |
- 0(1,2,3,4,5)
Role is available by default. Other roles will be added during a MOSK cluster deployment or project creation.
Scope identifier |
Short role name |
Full role name |
Role description |
|---|---|---|---|
|
|
|
Allow the superuser to perform any action on any resource in the specified cluster. |
Scope identifier |
Short role name |
Full role name |
Role description |
|---|---|---|---|
|
|
|
Access the following web UIs within the scope:
|
|
|
Access the following web UIs within the scope:
|