Access control
Read more to learn about role-based access control and authentication.
Abstract
Chapter 1. Access control
Access control might need to manually be created and managed. You must configure authentication service requirements for Red Hat Advanced Cluster Management for Kubernetes to onboard workloads to Identity and Access Management (IAM). For more information see, Understanding authentication in Understanding authentication in the OpenShift Container Platform documentation.
Role-based access control and authentication identifies the user associated roles and cluster credentials. See the following files for information about access and credentials.
Required access: Cluster administrator
1.1. Role-based access control
Red Hat Advanced Cluster Management for Kubernetes supports role-based access control (RBAC). Your role determines the actions that you can perform. RBAC is based on the authorization mechanisms in Kubernetes, similar to Red Hat OpenShift Container Platform. For more information about RBAC, see the OpenShift RBAC overview in the OpenShift Container Platform documentation.
Note: Action buttons are disabled from the console if the user-role access is impermissible.
View the following sections for details of supported RBAC by component:
1.1.1. Overview of roles
Some product resources are cluster-wide and some are namespace-scoped. You must apply cluster role bindings and namespace role bindings to your users for consistent access controls. View the table list of the following role definitions that are supported in Red Hat Advanced Cluster Management for Kubernetes:
Role | Definition |
|
This is an OpenShift Container Platform default role. A user with cluster binding to the |
|
A user with cluster binding to the |
|
A user with cluster binding to the |
|
A user with cluster binding to the |
|
A user with cluster binding to the |
|
A user with cluster binding to the |
|
A user with the |
admin, edit, view |
Admin, edit, and view are OpenShift Container Platform default roles. A user with a namespace-scoped binding to these roles has access to |
|
A user with the |
Important:
- Any user can create projects from OpenShift Container Platform, which gives administrator role permissions for the namespace.
-
If a user does not have role access to a cluster, the cluster name is not visible. The cluster name is displayed with the following symbol:
-
.
1.1.2. RBAC implementation
RBAC is validated at the console level and at the API level. Actions in the console can be enabled or disabled based on user access role permissions. View the following sections for more information on RBAC for specific lifecycles in the product.
1.1.2.1. Cluster lifecycle RBAC
View the following cluster lifecycle RBAC operations.
To create and administer all managed clusters:
Create a cluster role binding to the cluster role
open-cluster-management:cluster-manager-admin
by entering the following command:oc create clusterrolebinding <role-binding-name> --clusterrole=open-cluster-management:cluster-manager-admin --user=<username>
This role is a super user, which has access to all resources and actions. You can create cluster-scoped
managedcluster
resources, the namespace for the resources that manage the managed cluster, and the resources in the namespace with this role. You can also access provider connections and bare metal assets that are used to create managed clusters with this role. You might need to add theusername
of the ID that requires the role association to avoid permission errors.
To administer a managed cluster named
cluster-name
:Create a cluster role binding to the cluster role
open-cluster-management:admin:<cluster-name>
by entering the following command:oc create clusterrolebinding (role-binding-name) --clusterrole=open-cluster-management:admin:<cluster-name> --user=<username>
This role has read and write access to the cluster-scoped
managedcluster
resource. This is needed because themanagedcluster
is a cluster-scoped resource and not a namespace-scoped resource.Create a namespace role binding to the cluster role
admin
by entering the following command:oc create rolebinding <role-binding-name> -n <cluster-name> --clusterrole=admin --user=<username>
This role has read and write access to the resources in the namespace of the managed cluster.
To view a managed cluster named
cluster-name
:Create a cluster role binding to the cluster role
open-cluster-management:view:<cluster-name>
by entering the following command:oc create clusterrolebinding <role-binding-name> --clusterrole=open-cluster-management:view:<cluster-name> --user=<username>
This role has read access to the cluster-scoped
managedcluster
resource. This is needed because themanagedcluster
is a cluster-scoped resource and not a namespace-scoped resource.Create a namespace role binding to the cluster role
view
by entering the following command:oc create rolebinding <role-binding-name> -n <cluster-name> --clusterrole=view --user=<username>
This role has read-only access to the resources in the namespace of the managed cluster.
View a list of the managed clusters that you can access by entering the following command:
oc get managedclusters.clusterview.open-cluster-management.io
This command is used by administrators and users without cluster administrator privileges.
View a list of the managed cluster sets that you can access by entering the following command:
oc get managedclustersets.clusterview.open-cluster-management.io
This command is used by administrators and users without cluster administrator privileges.
1.1.2.1.1. Cluster pools RBAC
View the following cluster pool RBAC operations.
To use cluster pool provision clusters:
As a cluster administrator, create a managed cluster set and grant administrator permission to roles by adding the role to the group.
Grant
admin
permission to theserver-foundation-clusterset
managed cluster set with the following command:oc adm policy add-cluster-role-to-group open-cluster-management:clusterset-admin:server-foundation-clusterset server-foundation-team-admin
Grant
view
permission to theserver-foundation-clusterset
managed cluster set with the following command:oc adm policy add-cluster-role-to-group open-cluster-management:clusterset-view:server-foundation-clusterset server-foundation-team-user
Create a namespace for the cluster pool,
server-foundation-clusterpool
.Grant
admin
permission toserver-foundation-clusterpool
for theserver-foundation-team-admin
by running the following commands:oc adm new-project server-foundation-clusterpool oc adm policy add-role-to-group admin server-foundation-team-admin --namespace server-foundation-clusterpool
As a team administrator, create a cluster pool named
ocp46-aws-clusterpool
with a cluster set label,cluster.open-cluster-management.io/clusterset=server-foundation-clusterset
in the cluster pool namespace.-
The
server-foundation-webhook
checks if the cluster pool has the cluster set label, and if the user has permission to create cluster pools in the cluster set. -
The
server-foundation-controller
grantsview
permission to theserver-foundation-clusterpool
namespace forserver-foundation-team-user
.
-
The
When a cluster pool is created, the cluster pool creates a
clusterdeployment
.-
The
server-foundation-controller
grantsadmin
permission to theclusterdeployment
namespace forserver-foundation-team-admin
. The
server-foundation-controller
grantsview
permissionclusterdeployment
namespace forserver-foundation-team-user
.Note: As a
team-admin
andteam-user
, you haveadmin
permission to theclusterpool
,clusterdeplyment
, andclusterclaim
.
-
The
View the following console and API RBAC tables for cluster lifecycle:
Resource | Admin | Edit | View |
---|---|---|---|
Clusters | read, update, delete | - | read |
Cluster sets | get, update, bind, join | edit role not mentioned | get |
Managed clusters | read, update, delete | no edit role mentioned | get |
Provider connections | create, read, update, and delete | - | read |
Bare metal asset | create, read, update, delete | - | read |
API | Admin | Edit | View |
---|---|---|---|
You can use | create, read, update, delete | read, update | read |
You can use | read | read | read |
| update | update | |
You can use | create, read, update, delete | read, update | read |
| read | read | read |
You can use | create, read, update, delete | read, update | read |
| create, read, update, delete | read, update | read |
| create, read, update, delete | read, update | read |
| create, read, update, delete | read, update | read |
| create, read, update, delete | read, update | read |
| create, read, update, delete | read, update | read |
| create, read, update, delete | read, update | read |
| create, read, update, delete | read, update | read |
| create, read, update, delete | read, update | read |
1.1.2.2. Credentials role-based access control
The access to credentials is controlled by Kubernetes. Credentials are stored and secured as Kubernetes secrets. The following permissions apply to accessing secrets in Red Hat Advanced Cluster Management for Kubernetes:
- Users with access to create secrets in a namespace can create credentials.
- Users with access to read secrets in a namespace can also view credentials.
-
Users with the Kubernetes cluster roles of
admin
andedit
can create and edit secrets. -
Users with the Kubernetes cluster role of
view
cannot view secrets because reading the contents of secrets enables access to service account credentials.
1.1.2.3. Application lifecycle RBAC
When you create an application, the subscription
namespace is created and the configuration map is created in the subscription
namespace. You must also have access to the channel
namespace. When you want to apply a subscription, you must be a subscription administrator. For more information on managing applications, see Creating an allow and deny list as subscription administrator.
View the following application lifecycle RBAC operations:
To create and administer application on all managed clusters with a user named
username
:Create a cluster role binding to the
open-cluster-management:cluster-manager-admin
cluster role and bind it tousername
, run the following command:oc create clusterrolebinding <role-binding-name> --clusterrole=open-cluster-management:cluster-manager-admin --user=<username>
This role is a super user, which has access to all resources and actions. You can create the namespace for the application and all application resources in the namespace with this role.
Option: You can create applications that deploy resources to multiple namespaces:
Create a cluster role binding to the
open-cluster-management:subscription-admin
cluster role, and bind it to a user namedusername
. Run the following command:oc create clusterrolebinding <role-binding-name> --clusterrole=open-cluster-management:subscription-admin --user=<username>
To create and administer an application named
application-name
in thecluster-name
managed cluster, withusername
user:Create a cluster role binding to the
open-cluster-management:admin:
cluster role and bind it tousername
by entering the following command:oc create clusterrolebinding <role-binding-name> --clusterrole=open-cluster-management:admin:<cluster-name> --user=<username>
This role has read and write access to all
application
resources on the managed cluster,cluster-name
. Repeat this if access for other managed clusters is required.Create a namespace role binding to the
application
namespace using theadmin
role and bind it tousername
by entering the following command:oc create rolebinding <role-binding-name> -n <application-namespace> --clusterrole=admin --user=<username>
This role has read and write access to all
application
resources in theapplication
namspace. Repeat this if access for other applications is required or if the application deploys to multiple namespaces.
Option: You can create applications that deploy resources to multiple namespaces:
Create a cluster role binding to the open-cluster-management:subscription-admin cluster role and bind it to
username
by entering the following command:oc create clusterrolebinding <role-binding-name> --clusterrole=open-cluster-management:subscription-admin --user=<username>
To view an application on a managed cluster named
cluster-name
with the user namedusername
:Create a cluster role binding to the
open-cluster-management:view:
cluster role and bind it tousername
by entering the following command:oc create clusterrolebinding <role-binding-name> --clusterrole=open-cluster-management:view:<cluster-name> --user=<username>
This role has read access to all
application
resources on the managed cluster,cluster-name
. Repeat this if access for other managed clusters is required.Create a namespace role binding to the
application
namespace using theview
role and bind it tousername
. Enter the following command:oc create rolebinding <role-binding-name> -n <application-namespace> --clusterrole=view --user=<username>
This role has read access to all
application
resources in theapplication
namspace. Repeat this if access for other applications is required.
View the following console and API RBAC tables for Application lifecycle:
Resource | Admin | Edit | View |
---|---|---|---|
Application | create, read, update, delete | create, read, update, delete | read |
Channel | create, read, update, delete | create, read, update, delete | read |
Subscription | create, read, update, delete | create, read, update, delete | read |
Placement rule | create, read, update, delete | create, read, update, delete | read |
API | Admin | Edit | View |
---|---|---|---|
applications.app.k8s.io | create, read, update, delete | create, read, update, delete | read |
channels.apps.open-cluster-management.io | create, read, update, delete | create, read, update, delete | read |
deployables.apps.open-cluster-management.io | create, read, update, delete | create, read, update, delete | read |
helmreleases.apps.open-cluster-management.io | create, read, update, delete | create, read, update, delete | read |
placements.apps.open-cluster-management.io | create, read, update, delete | create, read, update, delete | read |
placementrules.apps.open-cluster-management.io | create, read, update, delete | create, read, update, delete | read |
subscriptions.apps.open-cluster-management.io | create, read, update, delete | create, read, update, delete | read |
configmaps | create, read, update, delete | create, read, update, delete | read |
secrets | create, read, update, delete | create, read, update, delete | read |
namespaces | create, read, update, delete | create, read, update, delete | read |
1.1.2.4. Governance lifecycle RBAC
When a policy is created, the policy is created in the cluster. Roles for the governance lifecycle are namespace-scoped. A user must also have access to the managed cluster.
To perform governance lifecycle operations, users must have access to the namespace where the policy is created, along with access to the managed cluster where the policy is applied.
View the following examples:
To create a policy in the
policy
namespace and apply it in a managed cluster namedcluster-name
:Create a namespace role binding to the
policy
namespace using theopen-cluster-management:admin:<cluster-name>
cluster role. Run the following command:oc create rolebinding <role-binding-name> -n <policy-namespace> --clusterrole=open-cluster-management:admin:<cluster-name> --user=<username>
To view a policy in a managed cluster:
Create a cluster role binding to
open-cluster-management:view:<cluster-name>
cluster role and bind it to theview
role with the following command:oc create clusterrolebinding <role-binding-name> --clusterrole=open-cluster-management:view:<cluster-name> --user=<username>
View the following console and API RBAC tables for governance lifecycle:
Resource | Admin | Edit | View |
---|---|---|---|
Policies | create, read, update, delete | read, update | read |
PlacementBindings | create, read, update, delete | read, update | read |
Placements | create, read, update, delete | read, update | read |
PlacementRules | create, read, update, delete | read, update | read |
PolicyAutomations | create, read, update, delete | read, update | read |
API | Admin | Edit | View |
---|---|---|---|
policies.policy.open-cluster-management.io | create, read, update, delete | read, update | read |
placementbindings.policy.open-cluster-management.io | create, read, update, delete | read, update | read |
policyautomations.policy.open-cluster-management.io | create, read, update, delete | read, update | read |
1.1.2.5. Observability RBAC
To view the observability metrics for a managed cluster, you must have view
access to that managed cluster on the hub cluster. View the following list of observability features:
Access managed cluster metrics.
Users are denied access to managed cluster metrics, if they are not assigned to the
view
role for the managed cluster on the hub cluster.- Search for resources.
To view observability data in Grafana, you must have a RoleBinding
resource in the same namespace of the managed cluster. View the following RoleBinding
example:
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: <replace-with-name-of-rolebinding> namespace: <replace-with-name-of-managedcluster-namespace> subjects: - kind: <replace with User|Group|ServiceAccount> apiGroup: rbac.authorization.k8s.io name: <replace with name of User|Group|ServiceAccount> roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view
See Role binding policy for more information. See Customizing observability to configure observability.
To manage components of observability, view the following API RBAC table:
API | Admin | Edit | View |
multiclusterobservabilities.observability.open-cluster-management.io | create, read, update, and delete | read, update | read |
| create, get, list, watch, update, delete, patch | - | - |
| get, list, watch | get, list, watch | get, list, watch |
To continue to learn more about securing your cluster, see Risk and compliance.