Role-based access control

IBM® Cloud Private supports several roles. Your role determines the actions that you can do.

Cluster administrator role and actions

IBM Cloud Private supports the cluster administrator role.

Table 1. Cluster administrator role and actions
Role Description Actions
Cluster administrator Has complete access to IBM Cloud Private platform. The following actions can be completed by the cluster administrator only:
  • Connect to an LDAP directory
  • Add users and assign them the IAM roles
  • Manage workloads, infrastructure, and applications across all namespaces
  • Create namespaces
  • Assign quotas
  • Add pod security policies
  • Add an internal Helm repository
  • Delete an internal Helm repository
  • Add Helm charts to the internal Helm repository
  • Remove Helm charts from the internal Helm repository
  • Synchronize internal and external Helm repositories

For more information about adding pod security policies, see Creating pod security policies.

IAM roles and actions

You assign an IAM role to users or user groups when you add them to a team. Within a team, each user or user group can have only one role. However, a user might have multiple roles within a team when you add a user individually and also as a member of a team's group. If so, the user can act based on the highest role that is assigned to the user. For example, if you add the user as an administrator and you assign a Viewer role to the user's group, the user can act as an administrator for the team.

A user or user group can be a member of multiple teams and have different roles on each team.

An IAM role defines the actions that a user can do on the team resources.

IBM Cloud Private supports these IAM roles:

Note: Only the Cluster Administrator and Administrator can manage teams, users, and roles. The Administrator cannot assign the Cluster Administrator role to any user or group.

Table 2. IAM roles and actions
Role Description Actions
Viewer Has read-only access. By default, the Viewer role is assigned to users when they are added to a team. The Viewer can view information about the team resources.
Editor Has read and edit access. The Editor can view and edit team resources.
Operator Has read, edit, and create access. The Operator can view, edit, and create team resources.
Administrator Has add, update, view, and delete access. The following actions can be completed by an administrator:
  • Create teams
  • Assign resources to other teams
  • Note: Administrators have access to the resources that are assigned to a team by the cluster administrator. Administrators can assign these resources to other teams where they are the administrators.
  • Create resources for a team
  • Note: Administrators can create resources for a team. They can assign these resources to other teams where they are the administrators.
  • Manage users, groups, and roles for their teams
  • Note: Administrators cannot assign the cluster administrator role to any user or group.
  • Read, update, and delete resources of a team

The Administrator cannot view the following management console pages:
  • Dashboard
  • Node
  • Pod Security
Cluster Administrator Has complete access to IBM Cloud Private platform. See Cluster administrator role and actions

RBAC for Catalog and Helm resources

Table 3. Allowed Helm repository actions based on IAM role
Action Administrator Operator Editor Viewer
Add an internal Helm repository
Synchronize internal and external Helm repositories
Delete internal Helm repository
Add Helm charts to the internal Helm repository X
Remove Helm charts from the internal Helm repository X
Deploy Helm charts X *
Roll back Helm releases X
Upgrade Helm releases X *
Delete Helm releases X

X - Operation is supported

* - Deploying and upgrading Helm releases is not supported for charts that remove resources by using hooks or jobs. For more information, see the chart readme file or documentation.

RBAC for Kubernetes resources

The IAM role that you assign to a user also defines the actions that the user can do on the Kubernetes resources that are assigned to the team. For example, if user1 is an operator in team1, and team1 has namespace1 resource, then user1 can view and update namespace1 information. User1 can also create resources, for example pods, in namespace1. If you remove user1 from team1, you remove user1's role binding for the resources in team1. If user1 is part of another team, say team2, that has the same namespace, then user1's role binding to the namespace in team2 is not affected when you remove the user from team1.

Table 4. Allowed actions based on IAM role
Action Administrator Operator Editor Viewer
get X X X X
list X X X X
watch X X X X
update X X X
patch X X X
create X X
delete X
deletecollection X
Table 5. Allowed resource permissions by role
Resource Administrator Operator Editor Viewer
clusterrolebindings.rbac.authorization.k8s.io X
clusterservicebrokers.servicecatalog.k8s.io (only view access) X X X X
clusterserviceclasses.servicecatalog.k8s.io (only view access) X X X X
clusterserviceplans.servicecatalog.k8s.io (only view access) X X X X
configmaps X X X X
cronjobs.batch X X X X
daemonsets.apps X X X X
daemonsets.extensions X X X X
deployments.apps X X X X
deployments.extensions X X X X
deployments.apps/rollback X X X
deployments.extensions/rollback X X X
deployments.apps/scale X X X X
deployments.extensions/scale X X X X
endpoints X X X X
events X X X X
horizontalpodautoscalers.autoscaling X X X X
images.icp.ibm.com X X X X
ingresses.extensions X X X X
jobs.batch X X X X
limitranges X X X X
localsubjectaccessreviews.authorization.k8s.io X
namespaces X X X X
namespaces/status X X X X
networkpolicies.extensions X X X X
networkpolicies.networking.k8s.io X X X X
persistentvolumeclaims X X X X
poddisruptionbudgets.policy X
pods X X X X
pods/attach X X X
pods/exec X X X
pods/log X X X X
pods/portforward X X X
pods/proxy X X X
pods/status X X X X
replicasets.apps X X X X
replicasets.extensions X X X X
replicasets.apps/scale X X X X
replicasets.extensions/scale X X X X
replicationcontrollers X X X X
replicationcontrollers/scale X X X X
replicationcontrollers.extensions/scale X X X X
replicationcontrollers/status X X X X
resourcequotas X X X X
resourcequotas/status X X X X
rolebindings.rbac.authorization.k8s.io X
roles.rbac.authorization.k8s.io X
scheduledjobs.batch X
secrets X X X
serviceaccounts X X X X
servicebindings.servicecatalog.k8s.io X X X X
servicebindings.servicecatalog.k8s.io/status X X X X
serviceinstances.servicecatalog.k8s.io X X X X
serviceinstances.servicecatalog.k8s.io/status X X X X
services X X X
services/proxy X X X X
statefulsets.apps X X X X