Skip to content

Commit

Permalink
12.rancher_sso_rbac.md
Browse files Browse the repository at this point in the history 
Adding documentation file versioned_docs/version-5.4/08.integration/12.rancher_sso_rbac.md as requested by @sunilarjun. Thanks.
  • Loading branch information
@brunoebernardi @sunilarjun
brunoebernardi authored and sunilarjun committed Jan 2, 2025
1 parent 1a916f2 commit 7f4ae0a
Showing 1 changed file with 151 additions and 0 deletions.
151 changes: 151 additions & 0 deletions versioned_docs/version-5.4/08.integration/12.rancher_sso_rbac.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,151 @@
---
title: Integration with Rancher RBAC
taxonomy:
category: docs
slug: /integration/rancher_sso_rbac
---

### Integration

Starting with NeuVector 5.4, full compatibility and integration of NeuVector with Rancher RBAC has been included. This offers users the possibility of customizing specific permissions based on the profile of the user or group that should access NeuVector.

In the Rancher console, Users & Authentication -> Role Templates page, customers can create Global, Cluster, Project, and Namespace roles with specific Neuvector Verbs, Resources, and API Groups. When such a Rancher role is assigned to a Rancher user, the user's NeuVector SSO session is assigned different NeuVector permissions accordingly. This is to provide SSO users with custom roles (i.e., roles other than the reserved admin/reader/fedAdmin/fedReader roles).


### Supported Custom NeuVector Role Mapping in Rancher SSO

Below are supported role mappings for NeuVector Verbs, Resources, and API Groups used on the Rancher UI -> Users & Authentication -> Role Template -> Create Global, Cluster or Project Role Template:

* APIGroup: permission.neuvector.com

* Verbs: get -> read-only(i.e. view)

* Verbs: * -> read/write(i.e. modify)

* Resources - Cluster Scoped: AdmissionControl, Authentication, CI Scan, Cluster, Federation and Vulnerability

* Resources - Namespaced: AuditEvents, Authorization, Compliance, Events, Namespace, RegistryScan, RuntimePolicy, RuntimeScan, SecurityEvents and SystemConfig


#### Resource Display and Logical Name Mapping Table

Below is a table illustrating the logical name of the resources for better understanding:


| Resource Display | Logical Name |
| -------------------|-----------------------------------|
| "All Permissions" | nv-perm.all-permissions |
| "Admission Control"| nv-perm.admctrl |
| "Audit Events" | nv-perm.audit-events |
| "Authentication" | nv-perm.authentication |
| "Authorization" | nv-perm.authorization |
| "CI Scan" | nv-perm.ci-scan |
| "Compliance" | nv-perm.compliance |
| "Events" | nv-perm.events |
| "Federation" | nv-perm.fed |
| "Registry Scan" | nv-perm.reg-scan |
| "Runtime Policy" | nv-perm.rt-policy |
| "Runtime Scan" | nv-perm.rt-scan |
| "Security Events" | nv-perm.security-events |
| "System Config" | nv-perm.config |
| "Vulnerability Profile" | nv-perm.vulnerability |


:::note
It is important to note that this integration supports roles in Global, Cluster, Project, and Namespace levels. The user must customize and create the rules based on their needs and scope permissions for the SSO.
:::

### Definitions and Expectations with Global, Cluster, and Project/Namespace Roles

* Cluster resource with * verb on Rancher Global Role
+ Mapped to NeuVector fedAdmin role on NeuVector fed-master cluster (This means users cannot map a Rancher Global role to a NeuVector admin role if NeuVector is on a master cluster)
+ Mapped to NeuVector admin role on NeuVector fed-managed cluster

* Cluster resource with * verb on Rancher Cluster Roles
+ Always mapped to NeuVector cluster-admin role

* Namespace resource with * verb on Rancher Project Roles
+ Always mapped to NeuVector namespace-admin role


### Use Cases & Examples

#### Use Case 1

* Global role to run runtime scans from NeuVector SSO session on all clusters are managed by Rancher Manager except the local cluster. Users need to create cluster roles to propagate the global role to all downstream clusters.
+ Create a cluster role template with the following parameters:

```yaml
Verb: *
Resource: RuntimeScan (choose runtimescan from drop down)
API: permission.neuvector.com (auot populated)
```
+ Create a project/namespace role to allow access to the UI and for SSO to work. Please remember that you must add this user role to your project for it to work as expected:
```yaml
Verb: get, patch,create
Resource: services/proxy
API: neuvector.com
```
+ Create a global cluster role with the following parameter to inherit the role to all downstream clusters:
```yaml
apiVersion: management.cattle.io/v3
kind: GlobalRole
displayName: All Downstream NV RT scan
metadata:
name: all-downstream-nvrtscan
inheritedClusterRoles:
- rt-gpmbs (above created cluster role id)
```
+ Create a standard user and select the global role created for this use case. The default form is always a Base or Standard user, unless you want to provide Admin permissions for the user created.
+ Create a project role binding on all downstream clusters for the above user and project containing cattle-neuvector-system namespace.
+ Login into Rancher Manager using the user created previously and launch NeuVector after clicking any downstream cluster. The user should be able to carry out any task related to real-time scans such as container scan, node scan, and browsing vulnerabilities page. This applies to the newly joined clusters, too.
#### Use Case 2
* Create a FedAdmin user. Always remember to login in as a FedAdmin to a master cluster. If you are not on a federated domain, the roles will be downgraded to Reader or Admin.
+ Create a global role with the following parameters. By using a global role it is also accessible by the other downstream clusters:
```yaml
Verb: *
Resource: All permissions
API: nv-perm.all-permissions
```
+ Create a project/namespace role to allow access to the UI and for SSO to work. Please remember that you must add this user role to your project for it to work as expected:
```yaml
Verb: get, patch,create
Resource: services/proxy
API: neuvector.com
```
+ Create a Standard user and select the global role created for this use case. The default form is always a Base or Standard user.
+ After that, go to Rancher UI -> Master Cluster -> Cluster and Project Members -> Project Membership -> Add. Here you must add the user you created and set the UI Proxy project role so that NeuVector is granted access.
+ Login into Rancher Manager using the user created previously and launch NeuVector after clicking any downstream cluster. When this is done, NeuVector reads the rancher's global role and assigns the match permissions, in this case FedAdmin.
:::note
To switch between FedAdmin and FedReader, just change the verbs from * to `get`. `get` is just the read permission, i.e., FedReader in this use case.
:::


#### Use Case 3

A user can do a few read-only tasks and modify a few tasks on a cluster.

#### Use Case 4

A user can do a few read-only tasks on a few domains and do a few modified tasks on a few domains on a cluster.

#### Use Case 5

A user obtains permission to do certain tasks on a cluster by combining permission from global, cluster, and project roles.


### Additional considerations

* Users can use this documentation and parameters as a basis for creating the SSO/RBAC rules of their choice. The support team can be contacted to help with errors and specific use cases via the SCC.
* NeuVector 5.4 should be backward compatible with pre-5.4 SSO role mapping. Please see [this](https://github.com/horantj/rancher-nv-rbac) documentation to understand the previous structure.


0 comments on commit 7f4ae0a

Please sign in to comment.