In this Exercise-5, we will assign required Roles and Permission for Keycloak Groups
By now we know that the Keycloak users have very little access to the Rancher platform
For the users to perform the tasks they would need adequate permissions
Rancher Roles are classified into 3 levels
Global Level Roles
Cluster Level Roles
Project Level Roles
superadmin user is a regular user created in keycloak.
By default, Rancher assigns Standard User Role which allows him create and manage new clusters, however they will not be able to manage any other clusters as well as rancher management platform.
For him to manage Rancher management platform we need to elevate his permissions in Rancher and granting him global permissions of administrator.
Lets check the existing permissions superadmin user have in Rancher and elevate him to permissions of administrator.
login as "admin" user using Log in with Keycloak option and using the credentials as set during Exercise-4.
Navigate to Home > Configuration > Users & Authentication > Users
Click on the checkbox of superadmin user and click on 3 vertical dots and click Edit Config
The default Global Permissions are set to Standard User
We need to elevate his access to higher level to "Administrator" which has full permissions at the Rancher platform level and Downstream clusters.
Select "Administrator" and click Save
Logout from admin user
Re-login to Rancher UI using superadmin user using Log in with Keycloak option
Now you can see superadmin user has full access to Rancher platform and all downstream clusters
Based on Organization structure we have 3 admins and 4 developers.
In the previous step we have elevated superadmin user to manage Rancher platform and all downstream cluster.
Now we have to explicitly assign the rest of the 2 admins to manage their own respective cluster.
In order to grant them explicit permissions to respective clusters we will need to grant user a cluster level permissions.
Now, we will now grant user "admin1" user as "Cluster Owner" role, so that admin1 user can have full control of the cluster and all its resources.
login as "admin" user using Log in with Keycloak option and using the credentials as set during Exercise-4.
Home > Explore CLUSTER > select "rke2-cluster1"
rke2-cluster1 > RBAC > select Cluster Members
Click Add button
Click on Select Member and type "cluster-admin-group1"
Select Cluster Permissions as "Owner"
Click on Create button
You can notice Group "cluster-admin-group1" added as Cluster Owner
Logout from admin user from Rancher UI
Now, Lets validate access rights/permissions by login as "admin1" user on the Rancher UI
Now we can see rke2-cluster1 only under Explore Cluster option
admin1 user is able to access Apps and Market place as shown below
We have successfully assigned "admin1" user to manage cluster "rke2-cluster1"
Similarly you can repeat the above steps for "admin2" user for cluster "rke2-cluster2".
So for we have configured role and permissions for cluster administrators, in the next step we will have developers access to their respective projects /namespaces.
In the development team we have mix of senior and junior developers. The senior developers because of their role and experience are granted rights to create projects and namespaces. Junior developers are restricted to create namespaces only for their own development work.
Till now we have used default built-in roles and permissions, lets explore ways to create custom roles and permissions to meet very specific needs.
senior-dev-group group will be assigned as built-in cluster member role as well as a custom role to create and manage projects and namespaces.
junior-dev-group group will be assigned custom role only to create and manage namespaces in existing projects.
junior-dev-group group is not allowed to create any new projects.
login as "admin" user using Log in with Keycloak option and using the credentials as set during Exercise-4.
Home > Users & Authentication > Roles > Project/Namespaces
Click on Create Project /Namespaces Role
Name = "custom-project-role1"
Under Grant Resources > Verbs > add below
create
delete
get
list
patch
update
watch
Resource = "Namespaces" (from dropdown)
Click Create
In the previous step we have created custom project/namespace role. It cannot be assigned to users directly. They have to be first associated to custom cluster role and thereafter to the user.
Next step is to create, custom cluster role
Home > Users & Authentication > Roles > Cluster
Click on Create Cluster Role
Name = "custom-cluster-role1"
Under Inherit From tab> select custom-project-role "custom-project-role1"
Keep default options under Grant Resources and click on Create
Logout from admin user
login as "admin1" user using Log in with Keycloak option and using the credentials as set during Exercise-4.
Home> Explore Cluster > rke2-cluster1 > RBAC > Cluster Members
Click Add
Under Select Members dropdown option, select group"senior-dev-group"
Under Cluster Permissions >
select "Member" and click on Create
To add and manage namespace explicitly the way we wanted using the custom role, we will now assign cluster permissions "custom-cluster-role1" and click Create
Logout from admin1 user
login as "dev1" user using Log in with Keycloak option and using the credentials as set during Exercise-4.
You can notice dev1 user has both Create Project and Create Namespace options enabled
Create New Project
Home > Explore Cluster > rke2-cluster1> Projects/Namesapces
Click on Create Project
Name = dev1-user-project1
Under Project/Namespaces > "dev1-user-project1"
Click on Create Namespace
Logout from dev1 user
login as "admin1" user using Log in with Keycloak option and using the credentials as set during Exercise-4.
Home> Explore Cluster > rke2-cluster1 > RBAC > Cluster Members
Click Add
Under Select Members dropdown option, select group "junior-dev-group"
Under Cluster Permissions > select "custom-cluster-role1" and click on Create
Here, We have granted custom cluster role only
Since we need to give him access to view project level view, so we assign built-in additional custom role "view all projects" and Click Create
Finally we have assigned all built-in and custom roles for groups "senior-dev-group" and "junior-dev-group"
Logout from admin1 user
login as "dev3" user using Log in with Keycloak option and using the credentials as set during Exercise-4.
You can notice dev3 user doesn't have option for creating new projects, but create new namespace in the existing Projects.
With this, we have successfully completed all required steps in Exercise 5: "Rancher role assignment and RBAC".
We are now ready to move to the Exercise 6: Exercise 6: Configure Rancher Logging