Skip to content

Latest commit

 

History

History
203 lines (181 loc) · 12.5 KB

cs_access_reference.md

File metadata and controls

203 lines (181 loc) · 12.5 KB
Raw
copyright lastupdated
years
2014, 2018
2018-11-15

{:new_window: target="blank"} {:shortdesc: .shortdesc} {:screen: .screen} {:pre: .pre} {:table: .aria-labeledby="caption"} {:codeblock: .codeblock} {:tip: .tip} {:note: .note} {:important: .important} {:deprecated: .deprecated} {:download: .download}

User access permissions

{: #understanding}

When you assign cluster permissions, it can be hard to judge which role you need to assign to a user. Use the tables in the following sections to determine the minimum level of permissions that are required to perform common tasks in {{site.data.keyword.containerlong}}. {: shortdesc}

{{site.data.keyword.Bluemix_notm}} IAM platform and Kubernetes RBAC

{: #platform}

{{site.data.keyword.containerlong_notm}} is configured to use {{site.data.keyword.Bluemix_notm}} Identity and Access Management (IAM) roles. {{site.data.keyword.Bluemix_notm}} IAM platform roles determine the actions that users can perform on a cluster. Every user who is assigned a platform role is also automatically assigned a corresponding Kubernetes role-based access control (RBAC) role in the default namespace. Additionally, platform roles automatically set basic infrastructure permissions for users. To set policies, see Assigning {{site.data.keyword.Bluemix_notm}} IAM platform permissions. To learn more about RBAC roles, see Assigning RBAC permissions.

The following table shows the cluster management permissions granted by each platform role and the Kubernetes resource permissions for the corresponding RBAC roles.

Cluster management permissions by platform and RBAC role
Platform role Cluster management permissions Corresponding RBAC role and resource permissions
**Viewer** Cluster:
  • View the name and email address for the owner of the {{site.data.keyword.Bluemix_notm}} IAM API key for a resource group and region
  • If your {{site.data.keyword.Bluemix_notm}} account uses different credentials to access the IBM Cloud infrastructure (SoftLayer) portfolio, view the infrastructure user name
  • List all or view details for clusters, worker nodes, worker pools, services in a cluster, and webhooks
  • View the VLAN spanning status for the infrastructure account
  • List available subnets in the infrastructure account
  • When set for one cluster: List VLANs that the cluster is connected to in a zone
  • When set for all clusters in the account: List all available VLANs in a zone
Logging:
  • View the default logging endpoint for the target region
  • List or view details for log forwarding and filtering configurations
  • View the status for automatic updates of the Fluentd add-on
Ingress:
  • List all or view details for ALBs in a cluster
  • View ALB types that are supported in the region
 The view cluster role is applied by the ibm-view role binding, providing the following permissions in the default namespace:
  • Read access to resources inside the default namespace
  • No read access to Kubernetes secrets
**Editor**

Tip: Use this role for app developers, and assign the Cloud Foundry **Developer** role.		 This role has all permissions from the Viewer role, plus the following:

Cluster:
  • Bind and unbind {{site.data.keyword.Bluemix_notm}} services to a cluster
Logging:
  • Create, update, and delete API server audit webhooks
  • Create cluster webhooks
  • Create and delete log forwarding configurations for all types except `kube-audit`
  • Update and refresh log forwarding configurations
  • Create, update, and delete log filtering configurations
Ingress:
  • Enable or disable ALBs
 The edit cluster role is applied by the ibm-edit role binding, providing the following permissions in the default namespace:
  • Read/write access to resources inside the default namespace
**Operator** This role has all permissions from the Viewer role, plus the following:

Cluster:
  • Update a cluster
  • Refresh the Kubernetes master
  • Add and remove worker nodes
  • Reboot, reload, and update worker nodes
  • Create and delete worker pools
  • Add and remove zones from worker pools
  • Update the network configuration for a given zone in worker pools
  • Resize and rebalance worker pools
  • Create and add subnets to a cluster
  • Add and remove user-managed subnets to and from a cluster
 The admin cluster role is applied by the ibm-operate cluster role binding, providing the following permissions:
  • Read/write access to resources inside a namespace but not to the namespace itself
  • Create RBAC roles within a namespace
**Administrator** This role has all permissions from the Editor, Operator, and Viewer roles for all clusters in this account, plus the following:

Cluster:
  • Create free or standard clusters
  • Delete clusters
  • Encrypt Kubernetes secrets by using {{site.data.keyword.keymanagementservicefull}}
  • Set the API key for the {{site.data.keyword.Bluemix_notm}} account to access the linked IBM Cloud infrastructure (SoftLayer) portfolio
  • Set, view, and remove infrastructure credentials for the {{site.data.keyword.Bluemix_notm}} account to access a different IBM Cloud infrastructure (SoftLayer) portfolio
  • Assign and change {{site.data.keyword.Bluemix_notm}} IAM platform roles for other existing users in the account
  • When set for all {{site.data.keyword.containerlong_notm}} instances (clusters) in all regions: List all available VLANs in the account
Logging:
  • Create and update log forwarding configurations for type `kube-audit`
  • Collect a snapshot of API server logs in an {{site.data.keyword.cos_full_notm}} bucket
  • Enable and disable automatic updates for the Fluentd cluster add-on
Ingress:
  • List all or view details for ALB secrets in a cluster
  • Deploy a certificate from your {{site.data.keyword.cloudcerts_long_notm}} instance to an ALB
  • Update or remove ALB secrets from a cluster

To create resources such as machines, VLANs, and subnets, Administrator users need the **Super user** infrastructure role.

 The cluster-admin cluster role is applied by the ibm-admin cluster role binding, providing the following permissions:
  • Read/write access to resources in every namespace
  • Create RBAC roles within a namespace
  • Access the Kubernetes dashboard
  • Create an Ingress resource that makes apps publicly available

Cloud Foundry roles

{: #cloud-foundry}

Cloud Foundry roles grant access to organizations and spaces within the account. To see the list of Cloud Foundry-based services in {{site.data.keyword.Bluemix_notm}}, run ibmcloud service list. To learn more, see all available org and space roles or the steps for managing Cloud Foundry access in the {{site.data.keyword.Bluemix_notm}} IAM documentation.

The following table shows the Cloud Foundry roles required for cluster action permissions.

Cluster management permissions by Cloud Foundry role
Cloud Foundry role Cluster management permissions
Space role: Manager Manage user access to an {{site.data.keyword.Bluemix_notm}} space
Space role: Developer
  • Create {{site.data.keyword.Bluemix_notm}} service instances
  • Bind {{site.data.keyword.Bluemix_notm}} service instances to clusters
  • View logs from a cluster's log forwarding configuration at the space level

Infrastructure roles

{: #infra}

When a user with the Super User infrastructure access role sets the API key for a region and resource group, infrastructure permissions for the other users in the account are set by {{site.data.keyword.Bluemix_notm}} IAM platform roles. You do not need to edit the other users' IBM Cloud infrastructure (SoftLayer) permissions. Only use the following table to customize users' IBM Cloud infrastructure (SoftLayer) permissions when you can't assign Super User to the user who sets the API key. For more information, see Customizing infrastructure permissions.

The following table shows the infrastructure permissions required to complete groups of common tasks.

Commonly required infrastructure permissions for {{site.data.keyword.containerlong_notm}}
Common tasks in {{site.data.keyword.containerlong_notm}} Required infrastructure permissions by tab
Minimum permissions:
  • Create a cluster.
 Devices:
  • View Virtual Server Details
  • Reboot server and view IPMI system information
  • Issue OS Reloads and Initiate Rescue Kernel
Account:
  • Add Server
Cluster Administration:
  • Create, update, and delete clusters.
  • Add, reload, and reboot worker nodes.
  • View VLANs.
  • Create subnets.
  • Deploy pods and load balancer services.
 Support:
  • View Tickets
  • Add Tickets
  • Edit Tickets
Devices:
  • View Hardware Details
  • View Virtual Server Details
  • Reboot server and view IPMI system information
  • Issue OS Reloads and Initiate Rescue Kernel
Network:
  • Add Compute with Public Network Port
Account:
  • Cancel Server
  • Add Server
Storage:
  • Create persistent volume claims to provision persistent volumes.
  • Create and manage storage infrastructure resources.
 Services:
  • Manage Storage
Account:
  • Add Storage
Private Networking:
  • Manage private VLANs for in-cluster networking.
  • Set up VPN connectivity to private networks.
 Network:
  • Manage Network Subnet Routes
Public Networking:
  • Set up public load balancer or Ingress networking to expose apps.
 Devices:
  • Edit Hostname/Domain
  • Manage Port Control
Network:
  • Add Compute with Public Network Port
  • Manage Network Subnet Routes
  • Add IP Addresses
Services:
  • Manage DNS, Reverse DNS, and WHOIS
  • View Certificates (SSL)
  • Manage Certificates (SSL)