Role-based access control
IBM® Cloud Private supports several roles. Your role determines the actions that you can do.
Cluster administrator role and actions
IBM Cloud Private supports the cluster administrator role. The cluster administrator has complete access to the IBM Cloud Private platform.
The following actions can be completed by the cluster administrator:
- Create teams, add users, and assign them the IAM roles
- Manage workloads, infrastructure, and applications across all namespaces
- Create namespaces
- Assign quotas
- Add pod security policies
- Add an internal Helm repository
- Delete an internal Helm repository
- Add Helm charts to the internal Helm repository
- Remove Helm charts from the internal Helm repository
- Synchronize internal and external Helm repositories
- Manage storage classes and persistent volumes across all namespaces
- Add, remove, and update image security enforcement policies
- Add, remove, and update service IDs in the cluster
- Register and add Service Broker to fetch ClusterServiceClasses and ClusterServicePlans
- Deploy Service Broker chart to fetch ClusterServiceClasses and ClusterServicePlans
For more information about adding pod security policies, see Creating pod security policies.
IAM roles and actions
You assign an IAM role to users or user groups when you add them to a team. Within a team, each user or user group can have only one role. However, a user might have multiple roles within a team when you add a user individually and also as a member
of a team's group. If so, the user can act based on the highest role that is assigned to the user. For example, if you add the user as an administrator and you assign a Viewer
role to the user's group, the user can act as
an administrator for the team.
A user or user group can be a member of multiple teams and have different roles on each team.
An IAM role defines the actions that a user can do on the team resources.
IBM Cloud Private supports these IAM roles:
Note: Only the Cluster Administrator and Administrator can manage teams, users, and roles. The Administrator cannot assign the Cluster Administrator role to any user or group.
Role | Description | Actions |
---|---|---|
Viewer | Has read-only access. | The following actions can be completed by a Viewer:
The Viewer cannot view the following management console pages:
|
Editor | Has read and edit access. | The following actions can be completed by an Editor:
The Editor cannot view the following management console pages:
|
Auditor | Has read access. | The following actions can be completed by an Auditor:
The Auditor cannot view the following management console pages:
|
Operator (Also referred to as Team Operator ) |
Has read, edit, and create access. | The following actions can be completed by an Operator:
The Operator cannot view the following management console pages:
|
Administrator (Also referred to as Team Administrator ) |
Has add, update, view, and delete access. | The following actions can be completed by an administrator:
The Administrator cannot view the following management console pages:
|
Cluster Administrator | Has complete access to IBM Cloud Private platform. | See Cluster administrator role and actions |
Note Viewers and editors cannot view logs on any of the IBM Cloud Private management console pages.
RBAC for Catalog and Helm resources
Action | Administrator | Operator | Editor | Auditor | Viewer |
---|---|---|---|---|---|
Add an internal Helm repository | |||||
Synchronize internal and external Helm repositories | |||||
Delete internal Helm repository | |||||
Add Helm charts to the internal Helm repository | X | ||||
Remove Helm charts from the internal Helm repository | X | ||||
Deploy Helm charts | X | * | |||
Roll back Helm releases | X | X | X | ||
Upgrade Helm releases | X | X | X | ||
Delete Helm releases | X |
X - Operation is supported
* - Deploying and upgrading Helm releases is not supported for charts that remove resources by using hooks or jobs. For more information, see the chart readme file or documentation.
RBAC for Kubernetes resources
The IAM role that you assign to a user also defines the actions that the user can do on the Kubernetes resources that are assigned to the team. For example, if user1 is an operator in team1, and team1 has namespace1 resource, then user1 can view and update namespace1 information. User1 can also create resources, for example pods, in namespace1. If you remove user1 from team1, you remove user1's role binding for the resources in team1. If user1 is part of another team, say team2, that has the same namespace, then user1's role binding to the namespace in team2 is not affected when you remove the user from team1.
Action | Administrator | Operator | Editor | Auditor | Viewer |
---|---|---|---|---|---|
get | X | X | X | X | |
list | X | X | X | X | |
watch | X | X | X | X | |
update | X | X | X | ||
patch | X | X | X | ||
create | X | X | |||
delete | X | ||||
deletecollection | X |
Resource | Administrator | Operator | Editor | Auditor | Viewer |
---|---|---|---|---|---|
clusterrolebindings.rbac.authorization.k8s.io | X | ||||
clusterservicebrokers.servicecatalog.k8s.io (only view access) | X | X | X | X | X |
clusterserviceclasses.servicecatalog.k8s.io (only view access) | X | X | X | X | X |
clusterserviceplans.servicecatalog.k8s.io (only view access) | X | X | X | X | X |
configmaps | X | X | X | X | X |
cronjobs.batch | X | X | X | X | X |
daemonsets.apps | X | X | X | X | X |
daemonsets.extensions | X | X | X | X | X |
deployments.apps | X | X | X | X | X |
deployments.extensions | X | X | X | X | X |
deployments.apps/rollback | X | X | X | ||
deployments.extensions/rollback | X | X | X | ||
deployments.apps/scale | X | X | X | X | |
deployments.extensions/scale | X | X | X | X | X |
endpoints | X | X | X | X | X |
events | X | X | X | X | X |
horizontalpodautoscalers.autoscaling | X | X | X | X | X |
images.icp.ibm.com | X | X | X | X | X |
ingresses.extensions | X | X | X | X | X |
jobs.batch | X | X | X | X | X |
limitranges | X | X | X | X | X |
localsubjectaccessreviews.authorization.k8s.io | X | ||||
namespaces | X | X | X | X | X |
namespaces/status | X | X | X | X | X |
networkpolicies.extensions | X | X | X | X | X |
networkpolicies.networking.k8s.io | X | X | X | X | X |
persistentvolumeclaims | X | X | X | X | X |
poddisruptionbudgets.policy | X | ||||
pods | X | X | X | X | X |
pods/attach | X | X | X | X | X |
pods/exec | X | X | X | X | X |
pods/log | X | X | X | X | X |
pods/portforward | X | X | X | X | X |
pods/proxy | X | X | X | X | |
pods/status | X | X | X | X | |
replicasets.apps | X | X | X | X | X |
replicasets.extensions | X | X | X | X | X |
replicasets.apps/scale | X | X | X | X | X |
replicasets.extensions/scale | X | X | X | X | X |
replicationcontrollers | X | X | X | X | X |
replicationcontrollers/scale | X | X | X | X | X |
replicationcontrollers.extensions/scale | X | X | X | X | X |
replicationcontrollers/status | X | X | X | X | X |
resourcequotas | X | X | X | X | X |
resourcequotas/status | X | X | X | X | X |
rolebindings.rbac.authorization.k8s.io | X | ||||
roles.rbac.authorization.k8s.io | X | ||||
scheduledjobs.batch | X | ||||
secrets | X | X | X | X | |
serviceaccounts | X | X | X | X | X |
servicebindings.servicecatalog.k8s.io | X | X | X | X | X |
servicebindings.servicecatalog.k8s.io/status | X | X | X | X | X |
serviceinstances.servicecatalog.k8s.io | X | X | X | X | X |
serviceinstances.servicecatalog.k8s.io/status | X | X | X | X | X |
services | X | X | X | X | |
services/proxy | X | X | X | X | X |
statefulsets.apps | X | X | X | X | X |