-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Closes Mirantis/hmc#486
- Loading branch information
Showing
2 changed files
with
189 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,187 @@ | ||
| # 2A Role-Based Access Control | ||
|
|
||
| 2A leverages the Kubernetes RBAC system and provides a set of standard `ClusterRoles` with | ||
| associated permissions. All `ClusterRoles` are created as part of the HMC helm chart. | ||
| 2A roles are based on labels and aggregated permissions, meaning they automatically collect | ||
| rules from other `ClusterRoles` with specific labels. | ||
|
|
||
| The following table outlines the roles available in 2A, along with their respective read/write or read-only | ||
| permissions: | ||
|
|
||
| | Roles | Global Admin | Global Viewer | Namespace Admin | Namespace Editor | Namespace Viewer | | ||
| |----------------------------------|--------------|---------------|-----------------|------------------|------------------| | ||
| | **Scope** | **Global** | **Global** | **Namespace** | **Namespace** | **Namespace** | | ||
| | 2A management | r/w | r/o | - | - | - | | ||
| | Namespaces management | r/w | r/o | - | - | - | | ||
| | Provider Templates | r/w | r/o | - | - | - | | ||
| | Global Template Management | r/w | r/o | - | - | - | | ||
| | Multi Cluster Service Management | r/w | r/o | - | - | - | | ||
| | Template Chain Management | r/w | r/o | r/w | r/o | r/o | | ||
| | Cluster and Service Templates | r/w | r/o | r/w | r/o | r/o | | ||
| | Credentials | r/w | r/o | r/w | r/o | r/o | | ||
| | Flux Helm objects | r/w | r/o | r/w | r/o | r/o | | ||
| | Managed Clusters | r/w | r/o | r/w | r/w | r/o | | ||
|
|
||
|
|
||
| ## Roles definition | ||
|
|
||
| This section provides an overview of all `ClusterRoles` available in 2A. | ||
|
|
||
| > NOTE: | ||
| > The names of the `ClusterRoles` may have different prefix depending on the name of the HMC Helm chart. | ||
| > The `ClusterRoles` definitions below use the `hmc` prefix, which is the default name of the HMC Helm chart. | ||
| ### Global Admin | ||
|
|
||
| The `Global Admin` role provides full administrative access across all the 2A system. | ||
|
|
||
| **Name**: `hmc-global-admin-role` | ||
|
|
||
| **Aggregation Rule**: Includes all `ClusterRoles` with the labels: | ||
|
|
||
| * `hmc.mirantis.com/aggregate-to-global-admin: true` | ||
| * `hmc.mirantis.com/aggregate-to-namespace-admin: true` | ||
| * `hmc.mirantis.com/aggregate-to-namespace-editor: true` | ||
|
|
||
| **Permissions**: | ||
|
|
||
| 1. Full access to 2A API | ||
| 2. Full access to Flux Helm repositories and Helm charts | ||
| 3. Full access to Cluster API identities | ||
| 4. Full access to namespaces and secrets | ||
|
|
||
| **Use case** | ||
|
|
||
| A user with the `Global Admin` role is authorized to perform the following actions: | ||
|
|
||
| 1. Manage the 2A configuration | ||
| 2. Manage namespaces in the management cluster | ||
| 3. Manage `Provider Templates`: add new templates or remove unneeded ones | ||
| 4. Manage `Cluster` and `Service Templates` in any namespace, including adding and removing templates | ||
| 5. Manage Flux `HelmRepositories` and `HelmCharts` in any namespace | ||
| 6. Manage access rules for `Cluster` and `Service Templates`, including distributing templates across namespaces using | ||
| `Template Chains` | ||
| 7. Manage upgrade sequences for `Cluster` and `Service Templates` | ||
| 8. Manage and deploy Services across multiple clusters in any namespace by modifying `MultiClusterService` resources | ||
| 9. Manage `ManagedClusters` in any namespace | ||
| 10. Manage `Credentials` and `secrets` in any namespace | ||
| 11. Upgrade 2A | ||
| 12. Uninstall 2A | ||
|
|
||
|
|
||
| ### Global Viewer | ||
|
|
||
| The `Global Viewer` role grants read-only access across the 2A system. It does not permit any modifications, | ||
| including the creation of clusters. | ||
|
|
||
| **Name**: `hmc-global-viewer-role` | ||
|
|
||
| **Aggregation Rule**: Includes all `ClusterRoles` with the labels: | ||
|
|
||
| * `hmc.mirantis.com/aggregate-to-global-viewer: true` | ||
| * `hmc.mirantis.com/aggregate-to-namespace-viewer: true` | ||
|
|
||
| **Permissions**: | ||
|
|
||
| 1. Read access to 2A API | ||
| 2. Read access to Flux Helm repositories and Helm charts | ||
| 3. Read access to Cluster API identities | ||
| 4. Read access to namespaces and secrets | ||
|
|
||
| **Use case** | ||
|
|
||
| A user with the `Global Viewer` role is authorized to perform the following actions: | ||
|
|
||
| 1. View the 2A configuration | ||
| 2. List namespaces available in the management cluster | ||
| 3. List and get the detailed information about available `Provider Templates` | ||
| 4. List available `Cluster` and `Service Templates` in any namespace | ||
| 5. List and view detailed information about Flux `HelmRepositories` and `HelmCharts` in any namespace | ||
| 6. View access rules for `Cluster` and `Service Templates`, including `Template Chains` in any namespace | ||
| 7. View full details about the created `MultiClusterService` objects | ||
| 8. List and view detailed information about `ManagedClusters` in any namespace | ||
| 9. List and view detailed information about created `Credentials` and `secrets` in any namespace | ||
|
|
||
|
|
||
| ### Namespace Admin | ||
|
|
||
| The `Namespace Admin` role provides full administrative access within namespace. | ||
|
|
||
| **Name**: `hmc-namespace-admin-role` | ||
|
|
||
| **Aggregation Rule**: Includes all `ClusterRoles` with the labels: | ||
|
|
||
| * `hmc.mirantis.com/aggregate-to-namespace-admin: true` | ||
| * `hmc.mirantis.com/aggregate-to-namespace-editor: true` | ||
|
|
||
| **Permissions**: | ||
|
|
||
| 1. Full access to `ManagedClusters`, `Credentials`, `Cluster` and `Service Templates` in the namespace | ||
| 2. Full access to `Template Chains` in the namespace | ||
| 3. Full access to Flux `HelmRepositories` and `HelmCharts` in the namespace | ||
|
|
||
| **Use case** | ||
|
|
||
| A user with the `Namespace Admin` role is authorized to perform the following actions within the namespace: | ||
|
|
||
| 1. Create and manage all `ManagedClusters` in the namespace | ||
| 2. Create and manage `Cluster` and `Service Templates` in the namespace | ||
| 3. Manage the distribution and upgrade sequences of Templates within the namespace | ||
| 4. Create and manage Flux `HelmRepositories` and `HelmCharts` in the namespace | ||
| 5. Manage `Credentials` created by any user in the namespace | ||
|
|
||
|
|
||
| ### Namespace Editor | ||
|
|
||
| The `Namespace Editor` role allows users to create and modify `ManagedClusters` within namespace using predefined | ||
| `Credentials` and `Templates`. | ||
|
|
||
| **Name**: `hmc-namespace-editor-role` | ||
|
|
||
| **Aggregation Rule**: Includes all `ClusterRoles` with the labels: | ||
|
|
||
| * `hmc.mirantis.com/aggregate-to-namespace-editor: true` | ||
|
|
||
| **Permissions**: | ||
|
|
||
| 1. Full access to `ManagedClusters` in the allowed namespace | ||
| 2. Read access to `Credentials`, `Cluster` and `Service Templates`, and `TemplateChains` in the namespace | ||
| 3. Read access to Flux `HelmRepositories` and `HelmCharts` in the namespace | ||
|
|
||
| **Use case** | ||
|
|
||
| A user with the `Namespace Editor` role has the following permissions in the namespace: | ||
|
|
||
| 1. Can create and manage `ManagedCluster` objects in the namespace using existing `Credentials` and `Templates` | ||
| 2. Can list and view detailed information about the `Credentials` available in the namespace | ||
| 3. Can list and view detailed information about the available `Cluster` and `Service Templates` and the `Templates'` | ||
| upgrade sequences | ||
| 4. Can list and view detailed information about the Flux `HelmRepositories` and `HelmCharts` | ||
|
|
||
|
|
||
| ### Namespace Viewer | ||
|
|
||
| The `Namespace Viewer` role grants read-only access to resources within a namespace. | ||
|
|
||
| **Name**: `hmc-namespace-viewer-role` | ||
|
|
||
| **Aggregation Rule**: Includes all `ClusterRoles` with the labels: | ||
|
|
||
| * `hmc.mirantis.com/aggregate-to-namespace-viewer: true` | ||
|
|
||
| **Permissions**: | ||
|
|
||
| 1. Read access to `ManagedClusters` in the namespace | ||
| 2. Read access to `Credentials`, `Cluster` and `Service Templates`, and `TemplateChains` in the namespace | ||
| 3. Read access to Flux `HelmRepositories` and `HelmCharts` in the namespace | ||
|
|
||
| **Use case** | ||
|
|
||
| A user with the `Namespace Viewer` role has the following permissions in the namespace: | ||
|
|
||
| 1. Can list and view detailed information about all the `ManagedCluster` objects in the allowed namespace | ||
| 2. Can list and view detailed information about `Credentials` available in the specific namespace | ||
| 3. Can list and view detailed information about available `Cluster` and `Service Templates` and the `Templates'` | ||
| upgrade sequences | ||
| 4. Can list and view detailed information about Flux `HelmRepositories` and `HelmCharts` | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters