Add RBAC enhancement documentation to NeuVector integration docs. #4280
+55
−2
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| --- | ||
| title: Rancher and NeuVector RBAC | ||
| weight: 3 | ||
| --- | ||
|
|
||
| This article is intended for users who need to provide access to the NeuVector app deployed via the Rancher app catalog with the Rancher chart. This will not work on deployments using the partner chart. | ||
|
|
||
| By default, a Rancher cluster admin and a global admin will automatically be mapped to be global admins within NeuVector. In order to map other personas, some access will need to be provided to the Rancher user/group depending on the desired access within NeuVector. Please note that adding the below permissions will not provide access to any Kubernetes resources beyond what is already given by existing Rancher roles, with one exception: the NeuVector service proxy. | ||
|
There was a problem hiding this comment.
I still don't think this is accurate. If I'm a project member who only has access to my single custom project, and then you give me NV admin permissions, I can now see many things I couldn't see before. I just have to click on Network activity and now I have indirect |
||
|
|
||
| The following table lists the NeuVector role and the Kubernetes RBAC from which it is derived. These RBAC mappings need to be created within Rancher RBAC. | ||
|
|
||
| |NeuVector Role|API Group|Resources|Verbs|Comment| | ||
| |-----|-----|-----|-----|-----| | ||
| |Cluster admin|read-only.neuvector.api.io|*|*| ClusterRole (with ClusterRoleBinding)| | ||
| |Cluster reader|read-only.neuvector.api.io|*|GET| ClusterRole(with ClusterRoleBinding)| | ||
| |Namespace admin|read-only.neuvector.api.io|*|*| ClusterRole/Role with RoleBinding) via project| | ||
| |Namespace readonly|read-only.neuvector.api.io|*|GET| ClusterRole/Role with RoleBinding) via project| | ||
| |N/A|neuvector.com|*|GET|Necessary along with any of the above for the nav link to appear| | ||
|
|
||
| ### Creating the Rancher RBAC Roles for Cluster and Project Scope | ||
| >**Note:** This is applicable to users who are neither global admins nor cluster admins. | ||
|
|
||
| Three items are necessary for the mapped access: | ||
|
|
||
| 1. Global, cluster, or project level role based on the above table. | ||
| 1. GET permissions on the neuvector.com CRDs. | ||
| 1. NeuVector project level services/proxy permission. This is used for UI proxy via Rancher. | ||
|
|
||
| The first two items above are highly dependent on your RBAC setup but can be done with either distinct NeuVector roles or by adding the permissions from the above tables to an existing set of custom roles. These can be given to users at global, cluster, or project level. | ||
|
|
||
| See [Rancher Custom Roles]({{<baseurl>}}rancher/v2.6/en/admin-settings/rbac/default-custom-roles/) for more information. | ||
|
|
||
| ### NeuVector Project Level UI Proxy | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| >**Note:** This is necessary when a user does not have this permission already either via a global or cluster role. | ||
|
|
||
| 1. Create a project for NeuVector prior to installing from the App catalog and install to this project. If install has already been done, create the project and move the namespace there. | ||
| 1. Create a project level role with services/proxy access as shown in the below examples. | ||
| 1. For the user/group in question who will need to access NeuVector, assign the project UI proxy role. | ||
|
|
||
| > **Warning:** Please be sure to scope this role to a NeuVector-only project. Otherwise, services/proxy access could be given to unintended workloads. | ||
|
|
||
| ### Examples | ||
|
|
||
| #### Project Level: | ||
|  | ||
|  | ||
|  | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| #### Cluster Level: | ||
|  | ||
|  | ||
|
|
||
| #### Project UI Proxy Permission: | ||
|  | ||
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even with below solution I think this part is accurate. We don't support 1:1 mapping of project-members, project-owners, or cluster-members.