红帽全球峰会第 1 章 Security
Manage your security and role-based access control (RBAC) of Red Hat Advanced Cluster Management for Kubernetes components. Govern your cluster with defined policies and processes to identify and minimize risks. Use policies to define rules and set controls.
Prerequisite: You must configure authentication service requirements for Red Hat Advanced Cluster Management for Kubernetes to onboard workloads to Identity and Access Management (IAM). For more information see, Understanding authentication in OpenShift Container Platform documentation.
Review the following topics to learn more about securing your cluster:
1.1. Role-based access control
Red Hat Advanced Cluster Management for Kubernetes supports role-based access control (RBAC). Your role determines the actions that you can perform. RBAC is based on the authorization mechanisms in Kubernetes, similar to OpenShift Container Platform. For more information about RBAC, see the OpenShift RBAC overview in the OpenShift Container Platform documentation.
View the following sections for details of supported RBAC by component:
1.1.1. Overview of roles
Some product resources are cluster-scoped and some are namespace-scoped. View the table list of the following role definitions that are supported in Red Hat Advanced Cluster Management for Kubernetes:
| Role | Definition |
|---|---|
| cluster-admin |
A user with cluster-wide binding to the |
| open-cluster-management:cluster-manager-admin |
A user with cluster-wide binding to the |
| open-cluster-management:managed-cluster-x (admin) |
A user with cluster binding to the |
| open-cluster-management:managed-cluster-x (viewer) |
A user with cluster-wide binding to the |
| open-cluster-management:subscription-admin |
A user with the |
| admin, edit, view |
Admin, edit, and view are OpenShift Container Platform default roles. A user with a namespace-scoped binding to these roles has access to |
Important:
- Any user can create projects from OpenShift Container Platform, which gives administrator role permissions for the namespace.
-
If a user does not have role access to a cluster, the cluster name is not visible. The cluster name is displayed with the following symbol:
-.
1.1.2. RBAC implementation
RBAC is validated at the API level. When an user attempts an action from the console, the API might be allowed or rejected based on access role permissions. View the following sections for more information on RBAC for specific lifecycles in the product.
1.1.2.1. Cluster lifecycle RBAC
To perform cluster lifecycle operations, users must have access to the managedcluster namespace and custom resource. A user with cluster-wide binding to admin or view roles, has admin or view access to all management clusters and namespaces.
View the following examples:
To view
managedcluster xcluster information, the following roles are required:-
A cluster-wide binding to the
viewrole foropen-cluster-management. -
A namespace binding to the
viewrole for namespace "X".
-
A cluster-wide binding to the
To perform an upgrade to
managedcluster x, the following roles are required:-
A cluster-wide binding to the
adminrole foropen-cluster-management. -
A namespace binding to the
adminrole for namespace "X".
-
A cluster-wide binding to the
View the following console and API RBAC tables for Cluster lifecycle:
| Action | Admin | Edit | View |
|---|---|---|---|
| Clusters | read, update, delete | read, update | read |
| Provider connections | create, read, update, and delete | create, read, update, and delete | No access |
| Bare metal | Yes | read, update | read |
| API | Admin | Edit | View |
|---|---|---|---|
| klusterletaddonconfigs.agent.open-cluster-management.io | create, read, update, delete | read, update | read |
| manageclusters.cluster.open-cluster-management.io | create, read, update, delete | read, update | read |
| managedclusteractions.action.open-cluster-management.io | create, read, update, delete | read, update | read |
| managedclusterviews.view.open-cluster-management.io | create, read, update, delete | read, update | read |
| managedclusterinfos.internal.open-cluster-management.io | create, read, update, delete | read, update | read |
| manifestworks.work.open-cluster-management.io | create, read, update, delete | read, update | read |
1.1.2.2. Application lifecycle RBAC
When you create an application, the subscription namespace is created and the configuration map is created in the subscription namespace. When you want to apply a subscription, you must be a subscription administrator. For more information on managing applications, see Creating and managing subscriptions.
To perform Application lifecycle tasks, users must have access to the namespace where the application is created and the managedcluster namespace. For example, the required access to create applications in namespace "N" is a namespace binding to the admin role for namespace "N".
View the following console and API RBAC tables for Application lifecycle:
| Action | Admin | Edit | View |
|---|---|---|---|
| Application | create, read, update, delete | create, read, update, delete | read |
| Channel | create, read, update, delete | create, read, update, delete | read |
| Subscription | create, read, update, delete | create, read, update, delete | read |
| Placement rule | create, read, update, delete | create, read, update, delete | read |
| API | Admin | Edit | View |
|---|---|---|---|
| applications.app.k8s.io | create, read, update, delete | create, read, update, delete | read |
| channels.apps.open-cluster-management.io | create, read, update, delete | create, read, update, delete | read |
| deployables.apps.open-cluster-management.io | create, read, update, delete | create, read, update, delete | read |
| helmreleases.apps.open-cluster-management.io | create, read, update, delete | create, read, update, delete | read |
| placementrules.apps.open-cluster-management.io | create, read, update, delete | create, read, update, delete | read |
| subscriptions.apps.open-cluster-management.io | create, read, update, delete | create, read, update, delete | read |
| configmaps | create, read, update, delete | create, read, update, delete | read |
| secrets | create, read, update, delete | create, read, update, delete | read |
| namespaces | create, read, update, delete | create, read, update, delete | read |
1.1.2.3. Governance lifecycle RBAC
To perform Governance lifecycle operations, users must have access to the namespace where a policy is created, and access to the managedcluster namespace. A user with cluster-wide binding to admin or view access, also have write and read access to all policies and all management clusters on the hub cluster.
View the following examples:
To view policies in namespace "N" the following role is required:
-
A namespace binding to the
viewrole for namespace "X".
-
A namespace binding to the
To create a policy in namespace "N" and apply it on
managedcluster x, the following roles are required:-
A namespace binding to the
adminrole for namespace "N". -
A namespace binding to the
adminrole for namespace "X".
-
A namespace binding to the
View the following console and API RBAC tables for Governance lifecycle:
| Action | Admin | Edit | View |
|---|---|---|---|
| Policies | create, read, update, delete | read | read |
| PlacementBindings | create, read, update, delete | read | read |
| PlacementRules | create, read, update, delete | read | read |
| API | Admin | Edit | View |
|---|---|---|---|
| policies.policy.open-cluster-management.io | create, read, update, delete | read | read |
| placementbindings.policy.open-cluster-management.io | create, read, update, delete | read | read |
Continue to learn more about securing your cluster, see Security.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}