Role-based access control
IBM® Cloud Private supports several roles. Your role determines the actions that you can do.
Kubernetes offers role-based access control (RBAC) authorization mechanisms, which has been extended on IBM Cloud Private where the users of the cluster platform can be grouped into teams and have namespaces dedicated to teams. With IBM Cloud Private, you can create a team and add users, user groups, and resources to the team. All users in a team have access to the team resources. A user, user group, or resource can be assigned to multiple teams.
IBM Cloud Private has one cluster administrator who has cluster wide access while other users can be classified to various roles, such as Administrator, Editor, Operator, Auditor, and Viewer to various namespaces they have access to. Based on the role assigned to user/user group the level of access to each logical resource on the cluster is defined.
Cluster administrator role and actions
IBM Cloud Private supports the cluster administrator role. The cluster administrator has complete access to the IBM Cloud Private platform.
The following actions can be completed by the cluster administrator:
- Connect to an LDAP directory
- Create teams, add users, and assign them the IAM roles
- Manage workloads, infrastructure, and applications across all namespaces
- Create namespaces
- Assign quotas
- Add pod security policies
- Add an internal Helm repository
- Delete an internal Helm repository
- Add Helm charts to the internal Helm repository
- Remove Helm charts from the internal Helm repository
- Synchronize internal and external Helm repositories
- Manage storage classes and persistent volumes across all namespaces
- Add, remove, and update image security enforcement policies
- Add, remove, and update service IDs in the cluster
- Register and add Service Broker to fetch ClusterServiceClasses and ClusterServicePlans
- Deploy Service Broker chart to fetch ClusterServiceClasses and ClusterServicePlans
For more information about adding pod security policies, see Creating pod security policies.
IAM roles and actions
You can assign an IAM role to users or user groups when you add them to a team. Within a team, each user or user group can have only one role. However, a user might have multiple roles within a team when you add a user individually and also as a
member of a team's group. If so, the user can act based on the highest role that is assigned to the user. For example, if you add the user as an administrator and you assign a Viewer role to the user's group, the user can
act as an administrator for the team.
A user or user group can be a member of multiple teams and have different roles on each team.
An IAM role defines the actions that a user can do on the team resources.
IBM Cloud Private supports these IAM roles:
Note: Only the Cluster Administrator and Administrator can manage teams, users, and roles. The Administrator cannot assign the Cluster Administrator role to any user or group.
| Role | Description | Actions |
|---|---|---|
| Viewer | Has read-only access. | The following actions can be completed by a Viewer:
The Viewer cannot view the following management console pages:
|
| Editor | Has read and edit access. | The following actions can be completed by an Editor:
The Editor cannot view the following management console pages:
|
| Auditor | Has read access. | The following actions can be completed by an Auditor:
The Auditor cannot view the following management console pages:
|
| Operator (Also referred to as Team Operator) |
Has read, edit, and create access. | The following actions can be completed by an Operator:
The Operator cannot view the following management console pages:
|
| Administrator (Also referred to as Team Administrator) |
Has add, update, view, and delete access. | You must be assigned to an LDAP directory team by the cluster adminstrator to complete the following actions:
The Administrator cannot view the following management console pages:
|
| Cluster Administrator | Has complete access to IBM Cloud Private platform. | See Cluster administrator role and actions |
Note: Viewers and editors cannot view logs on any of the IBM Cloud Private management console pages.
RBAC for catalog and Helm resources
| Action | Administrator | Operator | Editor | Auditor | Viewer |
|---|---|---|---|---|---|
| Add an internal Helm repository | |||||
| Synchronize internal and external Helm repositories | |||||
| Delete internal Helm repository | |||||
| Add Helm charts to the internal Helm repository | X | ||||
| Remove Helm charts from the internal Helm repository | X | ||||
| Deploy Helm charts | X | * | |||
| Roll back Helm releases | X | X | X | ||
| Upgrade Helm releases | X | X | X | ||
| Delete Helm releases | X |
X - Operation is supported
* - Deploying and upgrading Helm releases is not supported for charts that remove resources by using hooks or jobs. For more information, see the chart readme file or documentation.
RBAC for Key Management Service (KMS) resources
| Action | Description | Administrator | Editor | Viewer |
|---|---|---|---|---|
| Create | Generate and import keys | X | X | |
| Delete | Delete keys | X | ||
| List | List all keys | X | X | |
| Read | Read key material and metadata | X | X | |
| Wrap | Use CRK to encrypt DEK | X | X | X |
| Unwrap | Use CRK to decrypt DEK | X | X | X |
X - Operation is supported
For a detailed description of each action in table 3, see Key Management Service APIs.
RBAC for Kubernetes resources
The IAM role that you assign to a user also defines the actions that the user can do on the Kubernetes resources that are assigned to the team. For example, if user1 is an operator in team1, and team1 has namespace1 resource, then user1 can view and update namespace1 information. User1 can also create resources, for example pods, in namespace1. If you remove user1 from team1, you remove user1's role binding for the resources in team1. If user1 is part of another team, say team2, that has the same namespace, then user1's role binding to the namespace in team2 is not affected when you remove the user from team1.
| Action | Administrator | Operator | Editor | Viewer |
|---|---|---|---|---|
| get | X | X | X | X |
| list | X | X | X | X |
| watch | X | X | X | X |
| update | X | X | X | |
| patch | X | X | X | |
| create | X | X | ||
| delete | X | |||
| deletecollection | X |
| Resource | Administrator | Operator | Editor | Viewer |
|---|---|---|---|---|
| clusterrolebindings.rbac.authorization.k8s.io | X | |||
| clusterservicebrokers.servicecatalog.k8s.io (only view access) | X | X | X | X |
| clusterserviceclasses.servicecatalog.k8s.io (only view access) | X | X | X | X |
| clusterserviceplans.servicecatalog.k8s.io (only view access) | X | X | X | X |
| configmaps | X | X | X | X |
| cronjobs.batch | X | X | X | X |
| daemonsets.apps | X | X | X | X |
| daemonsets.extensions | X | X | X | X |
| deployments.apps | X | X | X | X |
| deployments.extensions | X | X | X | X |
| deployments.apps/rollback | X | X | X | |
| deployments.extensions/rollback | X | X | X | |
| deployments.apps/scale | X | X | X | |
| deployments.extensions/scale | X | X | X | X |
| endpoints | X | X | X | X |
| events | X | X | X | X |
| horizontalpodautoscalers.autoscaling | X | X | X | X |
| images.icp.ibm.com | X | X | X | X |
| ingresses.extensions | X | X | X | X |
| jobs.batch | X | X | X | X |
| limitranges | X | X | X | X |
| localsubjectaccessreviews.authorization.k8s.io | X | |||
| namespaces | X | X | X | X |
| namespaces/status | X | X | X | X |
| networkpolicies.extensions | X | X | X | X |
| networkpolicies.networking.k8s.io | X | X | X | X |
| persistentvolumeclaims | X | X | X | X |
| poddisruptionbudgets.policy | X | |||
| pods | X | X | X | X |
| pods/attach | X | X | X | X |
| pods/exec | X | X | X | X |
| pods/log | X | X | X | X |
| pods/portforward | X | X | X | X |
| pods/proxy | X | X | X | |
| pods/status | X | X | X | |
| replicasets.apps | X | X | X | X |
| replicasets.extensions | X | X | X | X |
| replicasets.apps/scale | X | X | X | X |
| replicasets.extensions/scale | X | X | X | X |
| replicationcontrollers | X | X | X | X |
| replicationcontrollers/scale | X | X | X | X |
| replicationcontrollers.extensions/scale | X | X | X | X |
| replicationcontrollers/status | X | X | X | X |
| resourcequotas | X | X | X | X |
| resourcequotas/status | X | X | X | X |
| rolebindings.rbac.authorization.k8s.io | X | |||
| roles.rbac.authorization.k8s.io | X | |||
| scheduledjobs.batch | X | |||
| secrets | X | X | X | |
| serviceaccounts | X | X | X | X |
| servicebindings.servicecatalog.k8s.io | X | X | X | X |
| servicebindings.servicecatalog.k8s.io/status | X | X | X | X |
| serviceinstances.servicecatalog.k8s.io | X | X | X | X |
| serviceinstances.servicecatalog.k8s.io/status | X | X | X | X |
| services | X | X | X | |
| services/proxy | X | X | X | X |
| statefulsets.apps | X | X | X | X |
RBAC for IAM resources
| IAM resource | Action | Administrator | Operator | Editor | Auditor | Viewer |
|---|---|---|---|---|---|---|
| Identity Management API explorer | X | X | X | X | X | |
| Certificate: /idmgmt/identity/api/v1/certificates | ||||||
| Create user certificate | X | X | X | X | X | |
| Read user certificate | X | X | X | X | X | |
| Delete user certificate | X | X | X | X | X | |
| Account: /idmgmt/identity/api/v1/account | ||||||
| Read IBM Cloud Private default account | X | X | X | X | X | |
| Create IBM Cloud Private default account | X | |||||
| Update IBM Cloud Private default account | X | |||||
| Delete IBM Cloud Private default account | X | |||||
| Directory: /idmgmt/identity/api/v1/directory/ldap | ||||||
| Read LDAP directory details | X | |||||
| User: /idmgmt/identity/api/v1/users | ||||||
| Create user details | X | |||||
| Read user details | X | X | X | X | X | |
| Update user details | X | |||||
| Delete user details | X | |||||
| User group: /idmgmt/identity/api/v1/usergroup | ||||||
| Create user group details | X | |||||
| Read user group details | X | X | X | X | X | |
| Update user group details | X | |||||
| Delete user group details | X | |||||
| Team: /idmgmt/identity/api/v1/teams | ||||||
| Create team details | X | |||||
| Read team details | X | X | X | X | X | |
| Update team details | X | |||||
| Delete team details | X | |||||
| Resource: /idmgmt/identity/api/v1/resources | ||||||
| Create resource details | X | |||||
| Read resource details | X | |||||
| Update resource details | X | |||||
| Delete resource details | X | |||||
| User Preferences: /idmgmt/identity/api/v1/userpreferences | ||||||
| Create user preferences | X | X | X | X | X | |
| Read user preferences | X | X | X | X | X | |
| Update user preferences | X | X | X | X | X | |
| Security Assertion Markup Language (SAML) authentication: /idmgmt/v1/saml | ||||||
| Get SAML status | X | |||||
| Update or reconfigure SAML authentication | X | |||||
| Create or configure SAML authentication | X | |||||
| Service ID: /iam-token/serviceids | ||||||
| Create a service ID | X | X | X | X | X | |
| List Service ID details | X | X | X | X | X | |
| Update a service ID | X | X | X | X | X | |
| Delete a service ID | X | X | X | X | X | |
| API key: /iam-token/apikeys | ||||||
| Create an API key | X | X | X | X | X | |
| List all API keys | X | X | X | X | X | |
| Update an API key | X | X | X | X | X | |
| Delete an API key | X | X | X | X | X | |
| Service policy: /v1/scopes/{scope}/service_ids/{serviceId}/policies | ||||||
| Create service policy details | X | X | X | X | X | |
| Read service policy details | X | X | X | X | X | |
| Update service policy details | X | X | X | X | X | |
| Delete service policy details | X | X | X | X | X |
Note: A user can create Service ID policies with the same level of access that the user has. The user cannot create or assign policies with a higher role to a service ID.