We're moving the documentation to a new location. Please bookmark our new site.

Manage role-based access control in Red Hat Advanced Cluster Security for Kubernetes version 3.63.0 and newer

Create and manage access for authorized users.

5 minute read

Red Hat Advanced Cluster Security for Kubernetes (RHACS) comes with role-based access control (RBAC) that you can use to configure roles and grant various levels of access to Red Hat Advanced Cluster Security for Kubernetes for different users.

If you are using Red Hat Advanced Cluster Security for Kubernetes 3.0.62 or older, see Managing access control in Red Hat Advanced Cluster Security for Kubernetes 3.0.62 and older.

Red Hat Advanced Cluster Security for Kubernetes 3.63.0 includes a scoped access control feature that enables you to configure fine-grained and specific sets of permissions that define how a given user or a group of users can interact with Red Hat Advanced Cluster Security for Kubernetes, which resources they can access, and which actions they can perform.

Scoped access controls are made of the following components:

  • Roles are pairs of a permission set and an access scope. You can assign roles to users and groups by specifying rules. You can configure these rules when you configure an authentication provider. There are two types of roles in Red Hat Advanced Cluster Security for Kubernetes:

    • System roles, which are created by Red Hat and cannot be changed.
    • Custom roles, which Red Hat Advanced Cluster Security for Kubernetes administrators can create and change at any time.
    • If you assign multiple roles for a user, they get access to the combined permissions of the assigned roles.

    • If you have users assigned to a custom role, and you delete that role, all associated users will assume the minimum access role that you have configured.

  • Permission sets are a set of permissions that define what actions a role can perform on a given resource. Resources are the functionalities of Red Hat Advanced Cluster Security for Kubernetes for which you can set view (read) and modify (read and write) permissions. There are two types of permission sets in Red Hat Advanced Cluster Security for Kubernetes:

    • System permission sets, which are created by Red Hat and cannot be changed.

    • Custom permission sets, which Red Hat Advanced Cluster Security for Kubernetes administrators can create and change at any time.

  • Access scopes specify Kubernetes and OpenShift Container Platform resources that users can access. For example, you can define an access scope that only allows users to access information about pods in a given project. There are two types of access scopes in Red Hat Advanced Cluster Security for Kubernetes:

    • System access scopes, which are created by Red Hat and cannot be changed.

    • Custom access scopes, which Red Hat Advanced Cluster Security for Kubernetes administrators can create and change at any time.

Roles

Red Hat Advanced Cluster Security for Kubernetes includes some default system roles that you can apply to users when you create authentication rules. You can also create custom roles as required.

System roleDescription
AdminProvides read and write access to all resources.
AnalystProvides read-only access for all resources.
Continuous IntegrationProvides the permissions required of a Continuous Integration (CI) system to run security scans.
NoneUsed as a minimum access role for all users.
Sensor CreatorProvides permissions to automate new cluster setups.

Viewing the permission set and access scope for a system role

You can view the permission set and access scope for the default system roles.

  1. On the RHACS portal, navigate to Platform ConfigurationAccess control.
  2. Select Roles.
  3. Click on one of the roles to view its details. The details page shows the permission set and access scope for the slected role.

You cannot modify permission set and access scope for the default system roles.

Creating a custom role

You can create new roles from the Access Control view.

  • You must have the Admin role, or a role with the permission set with read and write permissions for the AuthProvider and Role resources to create, modify, and delete custom roles.

  • You must create a permissions set and an access scope for the custom role before creating the role.

  1. On the RHACS portal, navigate to Platform ConfigurationAccess control.
  2. Select the Roles tab.
  3. Click Add role.
  4. Enter a Name and Description for the new role.
  5. Select a Permission set for the role.
  6. Select an Access scope for the role.
  7. Click Save.

Also see:

Assigning a role to a user or a group

You can use the RHACS portal to assign roles to a user or a group.

  1. On the RHACS portal, navigate to Platform ConfigurationAccess Control.
  2. From the list of authentication providers, select the authentication provider.
  3. Click Edit minimum role and rules.
  4. Under the Rules section, click Add new rule.
  5. For Key, select one of the values from userid, name, email or group.
  6. For Value, enter the value of the user ID, name, email address or group based on the key you selected.
  7. Click the Role drop-down menu and select the role you want to assign.
  8. Click Save.

You can repeat these instructions for each user or group and assign different roles.

Permission sets

Red Hat Advanced Cluster Security for Kubernetes includes some default system permission sets that you can apply to roles. You can also create custom permission sets as required.

Permission setDescription
AdminProvides read and write access to all resources.
AnalystProvides read-only access for all resources.
Continuous IntegrationProvides the permissions for CI (continuous integration) systems and includes those required to enforce deployment policies.
NoneNo read and write permissions are allowed for any resource.
Sensor CreatorProvides permissions for resources that are required to create Sensors in secured clusters.

Viewing the permissions for a system permission set

You can view the permissions for a system permission set in the RHACS portal.

  1. On the RHACS portal, navigate to Platform ConfigurationAccess control.
  2. Select Permission sets.
  3. Click on one of the permission sets to view its details. The details page shows a list of resources and their permissions for the selected permission set.

You cannot modify permissions for a system permission set.

Creating a custom permission set

You can create new permission sets from the Access Control view.

  • You must have the Admin role, or a role with the permission set with read and write permissions for the AuthProvider and Role resources to create, modify, and delete permission sets.
  1. On the RHACS portal, navigate to Platform ConfigurationAccess control.

  2. Select the Permission sets tab.

  3. Click Add permission set.

  4. Enter a Name and Description for the new permission set.

  5. For each resource, under the Access level column, select one of the permissions from No access, Read access, Read and Write access.

    • If you are configuring a permission set for users, you must grant read-only permissions for the following resources:

      • Alert
      • Cluster
      • Deployment
      • Image
      • NetworkPolicy
      • NetworkGraph
      • Policy
      • Secret
    • These permissions are pre-selected when you create a new permission set.

    • If you do not grant these permissions, users will experience issues with viewing pages in the RHACS portal.

  6. Click Save.

System access scopes

Red Hat Advanced Cluster Security for Kubernetes includes some default system access scopes that you can apply on roles. You can also create custom access scopes as required.

Acces scopeDescription
UnrestrictedProvides access to all clusters and namespaces that Red Hat Advanced Cluster Security for Kubernetes monitors.
Deny AllProvides no access to any Kubernetes and OpenShift Container Platform resources.

Viewing the details for a system access scope

You can view the Kubernetes and OpenShift Container Platform resources that are allowed and not allowed for an access scope in the RHACS portal.

  1. On the RHACS portal, navigate to Platform ConfigurationAccess control.
  2. Select Access scopes.
  3. Click on one of the access scopes to view its details. The details page shows a list of clusters and namespaces, and which ones are allowed for the selected access scope.

You cannot modify allowed resources for a system access scope.

Creating a custom access scope

You can create new access scopes from the Access Control view.

  • You must have the Admin role, or a role with the permission set with read and write permissions for the AuthProvider and Role resources to create, modify, and delete access scopes.
  1. On the RHACS portal, navigate to Platform ConfigurationAccess control.

  2. Select the Access scope tab.

  3. Click Add access scope.

  4. Enter a Name and Description for the new access scope.

  5. Under the Allowed resources section:

    • Use the Cluster filter and Namespace filter boxes to filter the list of clusters and namespaces visible in the list.

    • Expand the Cluster name to see the list of namespaces in that cluster.

    • Turn on the toggle under the Manual selection column for a cluster to allow access to all namespaces in that cluster.

      Access to a specific cluster provides users with access to the following resources within the scope of the cluster:

      • OpenShift Container Platform or Kubernetes cluster metadata and security information
      • Compliance information for authorized clusters
      • Node metadata and security information
      • Access to all namespaces in that cluster and their associated security information
    • Turn on the toggle under the Manual selection column for a namespace to allow access to that namespace.

      Access to a specific namespace gives access to the following information within the scope of the namespace:

      • Alerts and violations for deployments
      • Vulerability data for images
      • Deployment metadata and security information
      • Role and user information
      • Network graph, policy, and baseline information for deployments
      • Process information and process baseline configuration
      • Prioritized risk information for each deployment
  6. If you want to allow access to clusters and namespaces based on labels, click Add label selector under the Label selection rules section. Then click Add rules to specify Key and Value pairs for the label selector. You can specify labels for clusters and namespaces.

  7. Click Save.

API Resource definitions

The StackRox Kubernetes Security Platform includes multiple resources. The following table lists the resources and describes the actions that users can perform with the read or read_write permission.

ResourceRead permissionWrite permission
APITokenList existing API tokens.Create new API tokens or revoke existing tokens.
AlertView existing policy violations.Resolve or edit policy violations.
AllCommentsN/ADelete comments from other users. All users can edit and delete their own comments by default. To add and remove comments or tags, you need a role with write permission for the resource you are modifying. For more information, see Comments and tags.
AuthPluginView existing Authentication PluginsModify these configurations. (Local administrator only.)
AuthProviderView existing configurations for single-sign-on.Modify these configurations.
BackupPluginsView existing integrations with automated backup systems like AWS S3.Modify these configurations.
CVEInternal use onlyInternal use only
ClusterView existing secured clusters.Add new secured clusters and modify or delete existing clusters.
ComplianceView compliance standards and results.N/A
ComplianceRunScheduleView scheduled compliance runs.Create, modify, or delete scheduled compliance runs.
ComplianceRunsView recent compliance runs and their completion status.Trigger compliance runs.
ConfigView options for data retention, security notices, and other related configurations.Modify these configurations.
DebugLogsView the current logging verbosity level in StackRox Kubernetes Security Platform components. Download diagnostic bundle. Note: diagnostic bundle contains information about all clusters and namespaces regardless of user’s access scope. Don’t give this permission to users with limited access scope.Modify the logging level.
DeploymentView deployments (workloads) in secured clusters.N/A
DetectionCheck build-time policies against images or deployment YAMLs.N/A
GroupView the existing RBAC rules that match user metadata to StackRox roles.Create, modify, or delete configured RBAC rules.
ImageView images, their components, and their vulnerabilities.N/A
ImageComponentInternal use onlyInternal use only
ImageIntegrationList existing image registry integrations.Create, edit, or delete image registry integrations.
ImbuedLogsInternal use onlyInternal use only
IndicatorView process activity in deployments.N/A
K8sRoleView roles for Kubernetes role-based access control in secured clusters.N/A
K8sRoleBindingView role bindings for Kubernetes role-based access control in secured clusters.N/A
K8sSubjectView users and groups for Kubernetes role-based access control in secured clusters.N/A
LicensesView the status of the existing license for the StackRox Kubernetes Security Platform.Upload a new license key.
NamespaceView existing Kubernetes namespaces in secured clusters.N/A
NetworkBaselineView computed network baseline results.Manually modify computed network baseline results.
NetworkGraphView active and allowed network connections in secured clusters.N/A
NetworkGraphConfigView network graph configuration settingsModify network graph configuration settings.
NetworkPolicyView existing network policies in secured clusters and simulate changes.Apply network policy changes in secured clusters.
NodeView existing Kubernetes nodes in secured clusters.N/A
NotifierView existing integrations for notification systems like email, Jira, or webhooks.Create, modify, or delete these integrations.
PolicyView existing system policies.Create, modify, or delete system policies.
ProbeUploadRead manifests for the uploaded probe files.Upload support packages to Central.
ProcessWhitelistView process baselines.Add or remove processes from baselines.
RiskView Risk results.N/A
RoleView existing StackRox RBAC roles and their permissions.Add, modify, or delete roles and their permissions.
ScannerBundleDownload the scanner bundle.N/A
ScannerDefinitionsList existing image scanner integrations.Create, modify, or delete image scanner integrations.
SecretView metadata about secrets in secured clusters.N/A
SensorUpgradeConfigCheck the status of automatic upgrades.Disable or enable automatic upgrades for secured clusters.
ServiceAccountList Kubernetes service accounts in secured clusters.N/A
ServiceIdentityView metadata about StackRox service-to-service authentication.Revoke or reissue service-to-service authentication credentials.
UserView users that have accessed your StackRox instance, including the metadata that the authentication provider provides about them.N/A
WatchedImageView monitored images that aren’t deployed in the cluster.Configure images to watch for vulnerabilities

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.