-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add RBAC enhancement documentation to NeuVector integration docs. #4280
Open
horantj
wants to merge
5
commits into
rancher:master
Choose a base branch
from
horantj:master
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
316049f
Add section for rancher+neuvector RBAC integration
horantj c5191ed
Remove mention of previous auth limitation
horantj addc087
Update content/rancher/v2.6/en/neuvector-integration/rbac/_index.md
horantj d462359
Apply suggestions from code review
horantj 8089d1a
Merge branch 'rancher:master' into master
horantj File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
54 changes: 54 additions & 0 deletions
54
content/rancher/v2.6/en/neuvector-integration/rbac/_index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
--- | ||
title: Rancher + NeuVector RBAC | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
weight: 3 | ||
--- | ||
|
||
This article is intended for users who need to provide access to the NeuVector app deployed via the Rancher App catalog with the Rancher chart. This will not work on deployments using the Partner chart. | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
By default, a Rancher cluster admin, and global admin will be automatically mapped to be global admins within NeuVector. In order to map other personas, some access will need to be provided to the Rancher user/group depending on the desired access within NeuVector. Please note that adding the below permissions will not provide access to any kubernetes resources beyond what is already given by existing Rancher roles. With one exception being the neuvector service proxy. | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
The following table lists the NeuVector role and the k8s RBAC from which it is derived. These rbac mappings need to be created within Rancher RBAC. | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
|NeuVector role|apiGroup |resources|verbs|comment| | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|-----|-----|-----|-----|-----| | ||
cluster admin|read-only.neuvector.api.io|*|*| clusterrole(with clusterrolebinding)| | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
cluster reader|read-only.neuvector.api.io|*|get| clusterrole(with clusterrolebinding)| | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
namespace admin|read-only.neuvector.api.io|*|*| clusterrole/role with rolebinding) via project| | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
namespace readonly|read-only.neuvector.api.io|*|get| clusterrole/role with rolebinding) via project| | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
n/a|neuvector.com|*|get|necessary along with any of the above for nav link to appear| | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
### Creating the rancher RBAC roles for cluster and project scope | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
_for users that are not global admins or cluster admins_ | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
Three items are necessary for the mapped access: | ||
|
||
1. Global, Cluster, or project level role based on the above table | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
1. GET permissions on the neuvector.com CRDs | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
2. NeuVector Project level services/proxy permission. This is used for UI proxy via rancher. | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
The first two items are highly dependent on your RBAC setup, but can be done with distinct NeuVector roles, or adding the permissions from the above tables to an existing set of custom roles. These can be given to users at Global, cluster, or project level. | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
See [Rancher Custom Roles]({{<baseurl>}}rancher/v2.6/en/admin-settings/rbac/default-custom-roles/) for more information. | ||
|
||
### NeuVector Project Level UI Proxy | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
_Necessary when a user does not have this permission already either via a global or cluster role_ | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
1. Create a project for NeuVector prior to installing from the App catalog, and install to this project. If install has already been done, create the project and move the namespace there. | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
1. Create a project level role with services/proxy access as shown in the below examples. | ||
1. For the user/group in question that will need to access NeuVector, assign the project UI Proxy role. | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
> **Warning** | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
> Please be sure to scope this role to a NeuVector only project, otherwise services/proxy access could be given to unintended workloads. | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
### Examples | ||
|
||
#### Project level: | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
![Project Admin]({{<baseurl>}}/img/rancher/neuvector-project-admin.png) | ||
![Project Read-Only]({{<baseurl>}}/img/rancher/neuvector-project-ro.png) | ||
![Project UI Proxy]({{<baseurl>}}/img/rancher/neuvector-proxy-role.png) | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
#### Cluster level: | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
![Cluster Admin]({{<baseurl>}}/img/rancher/neuvector-cluster-admin.png) | ||
![Cluster Read-Only]({{<baseurl>}}/img/rancher/neuvector-cluster-ro.png) | ||
|
||
#### Project UI proxy permission: | ||
horantj marked this conversation as resolved.
Show resolved
Hide resolved
|
||
![NeuVector Project UI]({{<baseurl>}}/img/rancher/neuvector-project-ro.png) |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even with below solution I think this part is accurate. We don't support 1:1 mapping of project-members, project-owners, or cluster-members.