MOSK roles and scopes¶
MOSK roles can have three types of scopes:
Scope |
Application type |
Components |
Example |
---|---|---|---|
Global |
|
|
This scope applies to all managed clusters and namespaces. |
Namespace |
|
|
|
Cluster |
|
|
|
New-style roles¶
Recommended
Since Container Cloud 2.14.0 (Cluster releases 7.4.0, 6.20.0, 5.21.0), new-style roles were introduced. They can be assigned to users through Keycloak directly as well as by using IAM API objects. Mirantis recommends using IAM API for roles assignment.
Users with the m:kaas@global-admin
role can create MOSK
projects, which are Kubernetes namespaces in a management cluster, and all
IAM API objects that manage users access to MOSK.
Users with the m:kaas@management-admin
role have full access to the
management cluster. This role is available since Container Cloud 2.25.0
(Cluster releases 17.0.0 and 16.0.0).
After project creation, iam-controller
creates the following roles in
Keycloak:
m:kaas:<namespaceName>@operator
Provides the same permissions as
m:kaas:<namespaceName>@writer
m:kaas:<namespaceName>@bm-pool-operator
Provides the same permissions as
m:kaas@operator
but restricted to a single namespace
m:kaas:<namespaceName>@user
Provides the same permissions as
m:kaas:<namespaceName>@reader
m:kaas:<namespaceName>@member
Provides the same permissions as
m:kaas:<namespaceName>@operator
except for IAM API access
The old-style m:k8s:<namespaceName>:<clusterName>@cluster-admin
role is
unchanged in the new-style format and is recommended for usage.
When a managed cluster is created, a new role
m:sl:<namespaceName>:<clusterName>@stacklight-admin
for the sl
application is created. This role provides the same access to the StackLight
resources in the managed cluster as
m:sl:<namespaceName>:<clusterName>@admin
and is included into the
corresponding m:k8s:<namespaceName>:<clusterName>@cluster-admin
role.
Old-style roles¶
Not recommended
Users with the m:kaas@writer
role are considered global
MOSK administrators. They can create MOSK
projects that are Kubernetes namespaces in the management cluster. After a
project is created, the m:kaas:<namespaceName>@writer
and
m:kaas:<namespaceName>@reader
roles are created in Keycloak by
iam-controller
. These roles are automatically included into the
corresponding global roles, such as m:kaas@writer
, so that users with the
global-scoped role also obtain the rights provided by the namespace-scoped
roles. The global role m:kaas@operator
provides full access to bare metal
objects.
When a managed cluster is created, roles for the sl
and k8s
applications are created:
m:k8s:<namespaceName>:<clusterName>@cluster-admin
(also applies to new-style roles, recommended)m:sl:<namespaceName>:<clusterName>@admin
These roles provide access to the corresponding resources in a managed cluster
and are included into the corresponding m:kaas:<namespaceName>@writer
role.
Detailed role descriptions¶
The following tables include MOSK scopes and descriptions of their roles by three application types:
Scope identifier |
Short role name |
Full role name |
Role description |
---|---|---|---|
|
|
|
List the API resources within the Container Cloud scope. |
|
|
Create, update, or delete the API resources within the Container Cloud scope. Create projects. |
|
|
|
Add or delete a bare metal host within the Container Cloud scope. |
|
|
|
Create, update, or delete the IAM API resources within the Container Cloud scope. Create projects. |
|
|
|
Available since Container Cloud 2.25.0 (Cluster releases 17.0.0 and 16.0.0). Have full access to the management cluster. |
|
|
|
|
List the API resources within the specified Container Cloud project. |
|
|
Create, update, or delete the API resources within the specified Container Cloud project. |
|
|
|
List the API resources within the specified Container Cloud project. |
|
|
|
Create, update, or delete the API resources within the specified Container Cloud project. |
|
|
|
Add or delete a bare metal host within the specified Container Cloud project. |
|
|
|
Create, update, or delete the API resources within the specified Container Cloud project, except IAM API. |
- 0(1,2,3,4,5)
Role is available by default. Other roles will be added during a managed cluster deployment or project creation.
Scope identifier |
Short role name |
Full role name |
Role description |
---|---|---|---|
|
|
|
Allow the superuser to perform any action on any resource in the specified cluster. |
Scope identifier |
Short role name |
Full role name |
Role description |
---|---|---|---|
|
|
|
Access the following web UIs within the scope:
|
|
|
Access the following web UIs within the scope:
|