diff --git a/secure_clusters/rbac.adoc b/secure_clusters/rbac.adoc index 7e35c21de3..556388488f 100644 --- a/secure_clusters/rbac.adoc +++ b/secure_clusters/rbac.adoc @@ -46,4 +46,158 @@ Some product resources are cluster-wide and some are namespace-scoped. You must * If a user does not have role access to a cluster, the cluster name is not displayed. The cluster name might be displayed with the following symbol: `-`. -See xref:../secure_clusters/rbac_implement_rhacm.adoc#rhacm-rbac-implement[Implementing role-based access control] for more details. +[#console-api-rbac] +== Console and API RBAC tables + +To understand the role-based access control of the components, view the following console and API RBAC tables: + +.Console RBAC table for Application lifecycle +|=== +| Resource | Admin | Edit | View + +| Application +| create, read, update, delete +| create, read, update, delete +| read + +| Channel +| create, read, update, delete +| create, read, update, delete +| read + +| Subscription +| create, read, update, delete +| create, read, update, delete +| read +|=== + +.API RBAC table for Application lifecycle +|=== +| API | Admin | Edit | View + +| `applications.app.k8s.io` +| create, read, update, delete +| create, read, update, delete +| read + +| `channels.apps.open-cluster-management.io` +| create, read, update, delete +| create, read, update, delete +| read + +| `deployables.apps.open-cluster-management.io` (Deprecated) +| create, read, update, delete +| create, read, update, delete +| read + +| `helmreleases.apps.open-cluster-management.io` +| create, read, update, delete +| create, read, update, delete +| read + +| `placements.apps.open-cluster-management.io` +| create, read, update, delete +| create, read, update, delete +| read + +| `placementrules.apps.open-cluster-management.io` (Deprecated) +| create, read, update, delete +| create, read, update, delete +| read + +| `subscriptions.apps.open-cluster-management.io` +| create, read, update, delete +| create, read, update, delete +| read + +| `configmaps` +| create, read, update, delete +| create, read, update, delete +| read + +| `secrets` +| create, read, update, delete +| create, read, update, delete +| read + +| `namespaces` +| create, read, update, delete +| create, read, update, delete +| read +|=== + + +.Console RBAC table for Governance +|=== +| Resource | Admin | Edit | View + +| Policies +| create, read, update, delete +| read, update +| read + +| PlacementBindings +| create, read, update, delete +| read, update +| read + +| Placements +| create, read, update, delete +| read, update +| read + +| PlacementRules (deprecated) +| create, read, update, delete +| read, update +| read + +| PolicyAutomations +| create, read, update, delete +| read, update +| read +|=== + +.API RBAC table for Governance +|=== +| API | Admin | Edit | View + +| `policies.policy.open-cluster-management.io` +| create, read, update, delete +| read, update +| read + +| `placementbindings.policy.open-cluster-management.io` +| create, read, update, delete +| read, update +| read + +| `policyautomations.policy.open-cluster-management.io` +| create, read, update, delete +| read, update +| read +|=== + + +.API RBAC table for Observability +|=== +| API | Admin | Edit | View +| `multiclusterobservabilities.observability.open-cluster-management.io` +| create, read, update, and delete +| read, update +| read + +| `searchcustomizations.search.open-cluster-management.io` +| create, get, list, watch, update, delete, patch +| - +| - + +| `policyreports.wgpolicyk8s.io` +| get, list, watch +| get, list, watch +| get, list, watch +|=== + +[#rbac-add-resources] +== Additional resources + +- To understand the actions you can complete for each component, see xref:../secure_clusters/rbac_implement_rhacm.adoc#rhacm-rbac-implement[Implementing role-based access control] for more details. diff --git a/secure_clusters/rbac_implement_rhacm.adoc b/secure_clusters/rbac_implement_rhacm.adoc index 807443bda0..9f00f33b0e 100644 --- a/secure_clusters/rbac_implement_rhacm.adoc +++ b/secure_clusters/rbac_implement_rhacm.adoc @@ -7,36 +7,86 @@ The {mce-short} is a prerequisite and the cluster lifecycle function of {acm-sho View the following sections for more information on RBAC for specific lifecycles for {acm-short}: +* <> * <> -** <> * <> -** <> * <> -** <> + +[#cluster-mgmnt-RBAC] +== Cluster management RBAC + +To perform cluster management actions, you need access to your managed and hub cluster. If you want to create multiple cluster role bindings, you can use the `clusterRoleBindings` field to create multiple cluster role bindings in a single `ClusterPermission` resource. + +Complete the following step to create a `ClusterPermission` resource for creating multiple cluster role bindings: + +. To create a `ClusterPermission` resource to have many cluster role bindings, run the following command: + ++ +[source,bash] +---- +oc notsure what the rest mght be if there is a command +---- ++ +Your resource might resemble the following YAML with the specified `clusterRoleBindings` field: + ++ +[source,yaml] +---- +apiVersion: rbac.open-cluster-management.io/v1alpha1 +kind: ClusterPermission +metadata: + name: clusterpermission-multiple-clusterrolebindings +spec: + clusterRoleBindings: + - name: multi-crb-binding1 + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argocd-application-controller-1 + subject: + kind: User + name: user1 + - name: multi-crb-binding2 + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argocd-application-controller-3 + subjects: + - kind: User + name: user2 + - kind: Group + name: group1 +---- [#application-lifecycle-RBAC] == Application lifecycle RBAC -When you create an application, the `_subscription_` namespace is created and the configuration map is created in the `_subscription_` namespace. You must also have access to the `_channel_` namespace. When you want to apply a subscription, you must be a subscription administrator. For more information on managing applications, see link:../applications/allow_deny.adoc#creating-allow-deny-list[Creating an allow and deny list as subscription administrator]. +When you create an application, the `_subscription_` namespace is created and the configuration map is created in the `_subscription_` namespace. You must also have access to the `_channel_` namespace. When you want to apply a subscription, you must be a subscription administrator. For more information about managing applications, see link:../applications/allow_deny.adoc#creating-allow-deny-list[Creating an allow and deny list as subscription administrator]. View the following application lifecycle RBAC operations: - Create and administer applications on all managed clusters with a user named `username`. You must create a cluster role binding and bind it to `username`. Run the following command: + + +[source,bash] ---- oc create clusterrolebinding --clusterrole=open-cluster-management:cluster-manager-admin --user= ---- + -This role is a super user, which has access to all resources and actions. You can create the namespace for the application and all application resources in the namespace with this role. +This role is a superuser, which has access to all resources and actions. You can create the namespace for the application and all application resources in the namespace with this role. - Create applications that deploy resources to multiple namespaces. You must create a cluster role binding to the `open-cluster-management:subscription-admin` cluster role, and bind it to a user named `username`. Run the following command: + + +[source,bash] ---- oc create clusterrolebinding --clusterrole=open-cluster-management:subscription-admin --user= ---- - Create and administer applications in the `cluster-name` managed cluster, with the `username` user. You must create a cluster role binding to the `open-cluster-management:admin:` cluster role and bind it to `username` by entering the following command: + + +[source,bash] ---- oc create clusterrolebinding --clusterrole=open-cluster-management:admin: --user= ---- @@ -44,7 +94,9 @@ oc create clusterrolebinding --clusterrole=open-cluster-mana This role has read and write access to all `application` resources on the managed cluster, `cluster-name`. Repeat this if access for other managed clusters is required. - Create a namespace role binding to the `application` namespace using the `admin` role and bind it to `username` by entering the following command: + + +[source,bash] ---- oc create rolebinding -n --clusterrole=admin --user= ---- @@ -52,13 +104,17 @@ oc create rolebinding -n --clusterro This role has read and write access to all `application` resources in the `application` namspace. Repeat this if access for other applications is required or if the application deploys to multiple namespaces. - You can create applications that deploy resources to multiple namespaces. Create a cluster role binding to the `open-cluster-management:subscription-admin` cluster role and bind it to `username` by entering the following command: + + +[source,bash] ---- oc create clusterrolebinding --clusterrole=open-cluster-management:subscription-admin --user= ---- - To view an application on a managed cluster named `cluster-name` with the user named `username`, create a cluster role binding to the `open-cluster-management:view:` cluster role and bind it to `username`. Enter the following command: + + +[source,bash] ---- oc create clusterrolebinding --clusterrole=open-cluster-management:view: --user= ---- @@ -66,182 +122,54 @@ oc create clusterrolebinding --clusterrole=open-cluster-mana This role has read access to all `application` resources on the managed cluster, `cluster-name`. Repeat this if access for other managed clusters is required. - Create a namespace role binding to the `application` namespace using the `view` role and bind it to `username`. Enter the following command: + + +[source,bash] ---- oc create rolebinding -n --clusterrole=view --user= ---- + This role has read access to all `application` resources in the `application` namspace. Repeat this if access for other applications is required. -[#console-api-rbac-application] -=== Console and API RBAC table for application lifecycle - -View the following console and API RBAC tables for Application lifecycle: - -.Console RBAC table for application lifecycle -|=== -| Resource | Admin | Edit | View - -| Application -| create, read, update, delete -| create, read, update, delete -| read - -| Channel -| create, read, update, delete -| create, read, update, delete -| read - -| Subscription -| create, read, update, delete -| create, read, update, delete -| read - -|=== - -.API RBAC table for application lifecycle -|=== -| API | Admin | Edit | View - -| `applications.app.k8s.io` -| create, read, update, delete -| create, read, update, delete -| read - -| `channels.apps.open-cluster-management.io` -| create, read, update, delete -| create, read, update, delete -| read - -| `deployables.apps.open-cluster-management.io` -| create, read, update, delete -| create, read, update, delete -| read - -| `helmreleases.apps.open-cluster-management.io` -| create, read, update, delete -| create, read, update, delete -| read - -| `placements.apps.open-cluster-management.io` -| create, read, update, delete -| create, read, update, delete -| read - -| `placementrules.apps.open-cluster-management.io` (Deprecated) -| create, read, update, delete -| create, read, update, delete -| read - -| `subscriptions.apps.open-cluster-management.io` -| create, read, update, delete -| create, read, update, delete -| read - -| `configmaps` -| create, read, update, delete -| create, read, update, delete -| read - -| `secrets` -| create, read, update, delete -| create, read, update, delete -| read - -| `namespaces` -| create, read, update, delete -| create, read, update, delete -| read -|=== - - [#governance-lifecycle-RBAC] -== Governance lifecycle RBAC +== Governance RBAC -To perform governance lifecycle operations, you need access to the namespace where the policy is created, along with access to the managed cluster where the policy is applied. The managed cluster must also be part of a `ManagedClusterSet` that is bound to the namespace. To continue to learn about `ManagedClusterSet`, see link:../clusters/cluster_lifecycle/clusterset_intro.adoc#managedclustersets-intro[ManagedClusterSets Introduction]. +To perform Governance operations, you need access to the namespace where the policy is created, along with access to the managed cluster where the policy is applied. The managed cluster must also be part of a `ManagedClusterSet` that is bound to the namespace. To continue to learn about `ManagedClusterSet`, see link:../clusters/cluster_lifecycle/clusterset_intro.adoc#managedclustersets-intro[ManagedClusterSets Introduction]. After you select a namespace, such as `rhacm-policies`, with one or more bound `ManagedClusterSets`, and after you have access to create `Placement` objects in the namespace, view the following operations: - To create a `ClusterRole` named `rhacm-edit-policy` with `Policy`, `PlacementBinding`, and `PolicyAutomation` edit access, run the following command: + + +[source,bash] ---- oc create clusterrole rhacm-edit-policy --resource=policies.policy.open-cluster-management.io,placementbindings.policy.open-cluster-management.io,policyautomations.policy.open-cluster-management.io,policysets.policy.open-cluster-management.io --verb=create,delete,get,list,patch,update,watch ---- - To create a policy in the `rhacm-policies` namespace, create a namespace `RoleBinding`, such as `rhacm-edit-policy`, to the `rhacm-policies` namespace using the `ClusterRole` created previously. Run the following command: + + +[source,bash] ---- oc create rolebinding rhacm-edit-policy -n rhacm-policies --clusterrole=rhacm-edit-policy --user= ---- - To view policy status of a managed cluster, you need permission to view policies in the managed cluster namespace on the hub cluster. If you do not have `view` access, such as through the OpenShift `view` `ClusterRole`, create a `ClusterRole`, such as `rhacm-view-policy`, with view access to policies with the following command: + + +[source,bash] ---- oc create clusterrole rhacm-view-policy --resource=policies.policy.open-cluster-management.io --verb=get,list,watch ---- - To bind the new `ClusterRole` to the managed cluster namespace, run the following command to create a namespace `RoleBinding`: + + +[source,bash] ---- oc create rolebinding rhacm-view-policy -n --clusterrole=rhacm-view-policy --user= ---- -[#console-api-rbac-gov] -=== Console and API RBAC table for governance lifecycle - -View the following console and API RBAC tables for governance lifecycle: - -.Console RBAC table for governance lifecycle -|=== -| Resource | Admin | Edit | View - -| Policies -| create, read, update, delete -| read, update -| read - -| PlacementBindings -| create, read, update, delete -| read, update -| read - -| Placements -| create, read, update, delete -| read, update -| read - -| PlacementRules (deprecated) -| create, read, update, delete -| read, update -| read - -| PolicyAutomations -| create, read, update, delete -| read, update -| read -|=== - -.API RBAC table for governance lifecycle -|=== -| API | Admin | Edit | View - -| `policies.policy.open-cluster-management.io` -| create, read, update, delete -| read, update -| read - -| `placementbindings.policy.open-cluster-management.io` -| create, read, update, delete -| read, update -| read - -| `policyautomations.policy.open-cluster-management.io` -| create, read, update, delete -| read, update -| read -|=== - - [#observability-RBAC] == Observability RBAC @@ -250,19 +178,25 @@ To view the observability metrics for a managed cluster, you must have `view` ac * Access managed cluster metrics. + Users are denied access to managed cluster metrics, if they are not assigned to the `view` role for the managed cluster on the hub cluster. Run the following command to verify if a user has the authority to create a `managedClusterView` role in the managed cluster namespace: + + +[source,bash] ---- oc auth can-i create ManagedClusterView -n --as= ---- + As a cluster administrator, create a `managedClusterView` role in the managed cluster namespace. Run the following command: + + +[source,bash] ---- oc create role create-managedclusterview --verb=create --resource=managedclusterviews -n ---- + Then apply and bind the role to a user by creating a role bind. Run the following command: + + +[source,bash] ---- oc create rolebinding user-create-managedclusterview-binding --role=create-managedclusterview --user= -n ---- @@ -270,7 +204,9 @@ oc create rolebinding user-create-managedclusterview-binding --role=create-manag * Search for resources. + To verify if a user has access to resource types, use the following command: + + +[source,bash] ---- oc auth can-i list -n --as= ---- @@ -300,28 +236,5 @@ roleRef: See link:../governance/rolebinding_policy.adoc#role-binding-policy[Role binding policy] for more information. See link:../observability/adv_config_obs.adoc#adv-config-obs[Observability advanced configuration] to configure observability. -[#console-api-rbac-obs] -=== Console and API RBAC table for observability lifecycle - -To manage components of observability, view the following API RBAC table: - -.API RBAC table for observability - -|=== -| API | Admin | Edit | View -| `multiclusterobservabilities.observability.open-cluster-management.io` -| create, read, update, and delete -| read, update -| read - -| `searchcustomizations.search.open-cluster-management.io` -| create, get, list, watch, update, delete, patch -| - -| - -| `policyreports.wgpolicyk8s.io` -| get, list, watch -| get, list, watch -| get, list, watch -|=== diff --git a/secure_clusters/securing_cluster_intro.adoc b/secure_clusters/securing_cluster_intro.adoc index fd974b4cf5..83b01c14a7 100644 --- a/secure_clusters/securing_cluster_intro.adoc +++ b/secure_clusters/securing_cluster_intro.adoc @@ -1,6 +1,5 @@ [#securing-cluster-intro] = Securing clusters -//note the name change here and please check any links to this. You might need to manually create and manage the access control on your cluster. To do this, you must configure _authentication_ service requirements for {acm} to onboard workloads to Identity and Access Management (IAM).