2A Role-Based Access Control#
2A leverages the Kubernetes RBAC system and provides a set of standard ClusterRoles
with
associated permissions. All ClusterRoles
are created as part of the HMC helm chart.
2A roles are based on labels and aggregated permissions, meaning they automatically collect
rules from other ClusterRoles
with specific labels.
The following table outlines the roles available in 2A, along with their respective read/write or read-only permissions:
Roles | Global Admin | Global Viewer | Namespace Admin | Namespace Editor | Namespace Viewer |
---|---|---|---|---|---|
Scope | Global | Global | Namespace | Namespace | Namespace |
2A management | r/w | r/o | - | - | - |
Namespaces management | r/w | r/o | - | - | - |
Provider Templates | r/w | r/o | - | - | - |
Global Template Management | r/w | r/o | - | - | - |
Multi Cluster Service Management | r/w | r/o | - | - | - |
Template Chain Management | r/w | r/o | r/w | r/o | r/o |
Cluster and Service Templates | r/w | r/o | r/w | r/o | r/o |
Credentials | r/w | r/o | r/w | r/o | r/o |
Flux Helm objects | r/w | r/o | r/w | r/o | r/o |
Managed Clusters | r/w | r/o | r/w | r/w | r/o |
Roles definition#
This section provides an overview of all ClusterRoles
available in 2A.
Note
The names of the ClusterRoles
may have different prefix depending on the name of the HMC Helm chart.
The ClusterRoles
definitions below use the hmc
prefix, which is the default name of the HMC Helm chart.
Global Admin#
The Global Admin
role provides full administrative access across all the 2A system.
Name: hmc-global-admin-role
Aggregation Rule: Includes all ClusterRoles
with the labels:
hmc.mirantis.com/aggregate-to-global-admin: true
hmc.mirantis.com/aggregate-to-namespace-admin: true
hmc.mirantis.com/aggregate-to-namespace-editor: true
Permissions:
- Full access to 2A API
- Full access to Flux Helm repositories and Helm charts
- Full access to Cluster API identities
- Full access to namespaces and secrets
Use case
A user with the Global Admin
role is authorized to perform the following actions:
- Manage the 2A configuration
- Manage namespaces in the management cluster
- Manage
Provider Templates
: add new templates or remove unneeded ones - Manage
Cluster
andService Templates
in any namespace, including adding and removing templates - Manage Flux
HelmRepositories
andHelmCharts
in any namespace - Manage access rules for
Cluster
andService Templates
, including distributing templates across namespaces usingTemplate Chains
- Manage upgrade sequences for
Cluster
andService Templates
- Manage and deploy Services across multiple clusters in any namespace by modifying
MultiClusterService
resources - Manage
ManagedClusters
in any namespace - Manage
Credentials
andsecrets
in any namespace - Upgrade 2A
- Uninstall 2A
Global Viewer#
The Global Viewer
role grants read-only access across the 2A system. It does not permit any modifications,
including the creation of clusters.
Name: hmc-global-viewer-role
Aggregation Rule: Includes all ClusterRoles
with the labels:
hmc.mirantis.com/aggregate-to-global-viewer: true
hmc.mirantis.com/aggregate-to-namespace-viewer: true
Permissions:
- Read access to 2A API
- Read access to Flux Helm repositories and Helm charts
- Read access to Cluster API identities
- Read access to namespaces and secrets
Use case
A user with the Global Viewer
role is authorized to perform the following actions:
- View the 2A configuration
- List namespaces available in the management cluster
- List and get the detailed information about available
Provider Templates
- List available
Cluster
andService Templates
in any namespace - List and view detailed information about Flux
HelmRepositories
andHelmCharts
in any namespace - View access rules for
Cluster
andService Templates
, includingTemplate Chains
in any namespace - View full details about the created
MultiClusterService
objects - List and view detailed information about
ManagedClusters
in any namespace - List and view detailed information about created
Credentials
andsecrets
in any namespace
Namespace Admin#
The Namespace Admin
role provides full administrative access within namespace.
Name: hmc-namespace-admin-role
Aggregation Rule: Includes all ClusterRoles
with the labels:
hmc.mirantis.com/aggregate-to-namespace-admin: true
hmc.mirantis.com/aggregate-to-namespace-editor: true
Permissions:
- Full access to
ManagedClusters
,Credentials
,Cluster
andService Templates
in the namespace - Full access to
Template Chains
in the namespace - Full access to Flux
HelmRepositories
andHelmCharts
in the namespace
Use case
A user with the Namespace Admin
role is authorized to perform the following actions within the namespace:
- Create and manage all
ManagedClusters
in the namespace - Create and manage
Cluster
andService Templates
in the namespace - Manage the distribution and upgrade sequences of Templates within the namespace
- Create and manage Flux
HelmRepositories
andHelmCharts
in the namespace - Manage
Credentials
created by any user in the namespace
Namespace Editor#
The Namespace Editor
role allows users to create and modify ManagedClusters
within namespace using predefined
Credentials
and Templates
.
Name: hmc-namespace-editor-role
Aggregation Rule: Includes all ClusterRoles
with the labels:
hmc.mirantis.com/aggregate-to-namespace-editor: true
Permissions:
- Full access to
ManagedClusters
in the allowed namespace - Read access to
Credentials
,Cluster
andService Templates
, andTemplateChains
in the namespace - Read access to Flux
HelmRepositories
andHelmCharts
in the namespace
Use case
A user with the Namespace Editor
role has the following permissions in the namespace:
- Can create and manage
ManagedCluster
objects in the namespace using existingCredentials
andTemplates
- Can list and view detailed information about the
Credentials
available in the namespace - Can list and view detailed information about the available
Cluster
andService Templates
and theTemplates'
upgrade sequences - Can list and view detailed information about the Flux
HelmRepositories
andHelmCharts
Namespace Viewer#
The Namespace Viewer
role grants read-only access to resources within a namespace.
Name: hmc-namespace-viewer-role
Aggregation Rule: Includes all ClusterRoles
with the labels:
hmc.mirantis.com/aggregate-to-namespace-viewer: true
Permissions:
- Read access to
ManagedClusters
in the namespace - Read access to
Credentials
,Cluster
andService Templates
, andTemplateChains
in the namespace - Read access to Flux
HelmRepositories
andHelmCharts
in the namespace
Use case
A user with the Namespace Viewer
role has the following permissions in the namespace:
- Can list and view detailed information about all the
ManagedCluster
objects in the allowed namespace - Can list and view detailed information about
Credentials
available in the specific namespace - Can list and view detailed information about available
Cluster
andService Templates
and theTemplates'
upgrade sequences - Can list and view detailed information about Flux
HelmRepositories
andHelmCharts