Manage role-based access control in StackRox Kubernetes Security Platform version version 3.0.62 and older

Create and manage access for authorized users.

3 minute read

The StackRox Kubernetes Security Platform comes with Role-based access control (RBAC) that you can use to configure roles and grant various levels of access to the StackRox Kubernetes Security Platform to different users. These roles govern access to the StackRox Kubernetes Security Platform resources to prevent unwanted access.

  • Roles are a collection of rules, which are a group of read and write permissions that user can perform on a set of resources.
  • Resources are the functionalities of the StackRox Kubernetes Security Platform for which you can set view (read) and modify (write) permissions. See the API Resource definitions section to understand the access level that each permission grants.

To view the system roles or to create new roles:

  1. On the StackRox portal, navigate to Platform Configuration > Access control.
  2. Select the Roles and Permissions tab, to view existing roles and their associated permissions.

Roles and permissions
Roles and permissions

System roles

The StackRox Kubernetes Security Platform includes some default system roles that you can apply on users. You can also create custom roles as required.

System roleDescription
AdminThis role is targeted for administrators. It has read and write permissions for all resources.
AnalystThis role is targeted for a user who can’t make any changes, but can view everything. It has read-only permissions for all resources.
Continuous IntegrationThis role is targeted for CI (Continuous Integration) systems and has read-only access to check images and deployment YAMLs against your policies.
NoneThis role has no read and write permissions. You can set this role as the minimum access role for all users.
Sensor CreatorThe StackRox Kubernetes Security Platform uses this role to automate new cluster setups. You require this role to run the command roxctl sensor generate in a new secured cluster.

Custom roles

The StackRox Kubernetes Security Platform also allows you to create custom roles. You can create a custom role with one or more permissions and then grant that custom role to users. Creating custom roles enable you to enforce the principle of least privilege (PoLP). You can use these roles to give users or system accounts only those permissions that are essential to performing their intended functions.

You must have Admin role, or read and write permissions for the AuthProvider and Role resources to create, modify, and delete custom roles.

Create a custom role

You can create new roles from the Access Control view.

To create a new role:

  1. On the StackRox portal, navigate to Platform Configuration > Access control.

  2. Select the Roles and Permissions tab.

  3. From the StackRox Roles panel, select Add New Role.

  4. Enter a name for the role in Role Name.

  5. For each resource, under the Edit role column, select one of the permissions from No access, Read access, Read and Write access.

    If you are configuring a role for users, you must grant read-only permissions for the following resources:

    • Alert

    • Cluster

    • Deployment

    • Image

    • NetworkPolicy

    • NetworkGraph

    • Policy

    • Secret

      These permissions are pre-selected when you create a new role.

      If you don’t grant these permissions, users will experience issues loading pages.

  6. Select Save.

Modify permissions for a role

To modify a custom role:

  1. On the StackRox portal, navigate to Platform Configuration > Access control.
  2. Select the Roles and Permissions tab.
  3. From the StackRox Roles panel, select the name of the role you want to modify.
  4. Select Edit on the role details panel.
  5. Modify permissions as required, and then select Save to save the changes.

You can’t modify read and write permissions for the default system roles.

Delete a role

To delete a custom role:

  1. On the StackRox portal, navigate to Platform Configuration > Access control.
  2. Select the Roles and Permissions tab.
  3. From the StackRox Roles panel, hover over the name of the role you want to delete and click on Delete icon.
  • You can’t delete the default system roles.
  • If you have users assigned to a custom role, and you delete that role, all associated users transfer to the configured minimum access role.

Manage minimum access role

You can configure a Minimum access role that applies to all new users when they log in to the StackRox portal. To set a minimum access role, you must first configure an authentication provider.

  • The minimum access role is granted to all users who sign in with the authentication provider you configure.
  • To give users different roles, see Manage access for specific users or groups.
  • Set the minimum access role to None if you want to define permissions entirely by using specific rules.

To configure or change the minimum access role:

  1. On the StackRox portal, navigate to Platform Configuration > Access control.
  2. Under Auth Providers, select the authentication provider for which you want to configure the minimum access role.
  3. Select Edit Provider.
  4. Under section 2 Assign StackRox roles to your <auth-provider> users, select one of the roles from Minimum access role.
  5. Select Save.

Manage access for specific users or groups

In addition to setting up a Minimum access role, you can create rules that govern access to the StackRox Kubernetes Security Platform resources. You can create and apply these rules based on the metadata keys and values you set up in your authentication provider. These metadata keys are always dependent upon the configurations in your authentication provider. For example:

  • allowed metadata keys for OpenID Connect (OIDC) are only:

    • name
    • email
    • uid
    • groups
  • but for Security Assertion Markup Language (SAML) based authentication providers, there are no restrictions and you can define custom attributes as metadata keys.

To assign roles based on user metadata for your authentication provider:

  1. On the StackRox portal, navigate to Platform Configuration > Access control.
  2. Under Auth Providers, select the authentication provider for which you want to configure user roles.
  3. Select Edit Provider.
  4. Under section 2 Assign StackRox roles to your <auth-provider> users, select Add New Rule.
  5. Select Key to which this role applies.
  6. Select a Value for the key.
  7. Select the Role you want to assign to users matching the specified key and value.
  8. Select Save.
  • You can add more than one rule using the previous steps.
  • When you select Value, only users who accessed the system before using that value appear as an option. You can type in custom values for users who didn’t log in yet.
  • If a user matches to more than one of the defined rules, the user gets permissions from every matching rule.

API Resource definitions

The StackRox Kubernetes Security Platform includes multiple resources. The following table lists the resources and describes the actions that users can perform with the read or write permission.

ResourceRead permissionWrite permission
APITokenList existing API tokens.Create new API tokens or revoke existing tokens.
AlertView existing policy violations.Resolve or edit policy violations.
AllCommentsN/ADelete comments from other users. All users can edit and delete their own comments by default. To add and remove comments or tags, you need a role with write permission for the resource you are modifying. For more information, see Comments and tags.
AuthPluginView existing Authentication PluginsModify these configurations. (Local administrator only.)
AuthProviderView existing configurations for single-sign-on.Modify these configurations.
BackupPluginsView existing integrations with automated backup systems like AWS S3.Modify these configurations.
CVEInternal use onlyInternal use only
ClusterView existing secured clusters.Add new secured clusters and modify or delete existing clusters.
ComplianceView compliance standards and results.N/A
ComplianceRunScheduleView scheduled compliance runs.Create, modify, or delete scheduled compliance runs.
ComplianceRunsView recent compliance runs and their completion status.Trigger compliance runs.
ConfigView options for data retention, security notices, and other related configurations.Modify these configurations.
DebugLogsView the current logging verbosity level in StackRox components.Modify the logging level.
DeploymentView deployments (workloads) in secured clusters.N/A
DetectionCheck build-time policies against images or deployment YAMLs.N/A
GroupView the existing RBAC rules that match user metadata to StackRox roles.Create, modify, or delete configured RBAC rules.
ImageView images, their components, and their vulnerabilities.N/A
ImageComponentInternal use onlyInternal use only
ImageIntegrationList existing image registry integrations.Create, edit, or delete image registry integrations.
ImbuedLogsInternal use onlyInternal use only
IndicatorView process activity in deployments.N/A
K8sRoleView roles for Kubernetes role-based access control in secured clusters.N/A
K8sRoleBindingView role bindings for Kubernetes role-based access control in secured clusters.N/A
K8sSubjectView users and groups for Kubernetes role-based access control in secured clusters.N/A
LicensesView the status of the existing license for the StackRox Kubernetes Security Platform.Upload a new license key.
NamespaceView existing Kubernetes namespaces in secured clusters.N/A
NetworkBaselineView computed network baseline results.Manually modify computed network baseline results.
NetworkGraphView active and allowed network connections in secured clusters.N/A
NetworkGraphConfigView network graph configuration settingsModify network graph configuration settings.
NetworkPolicyView existing network policies in secured clusters and simulate changes.Apply network policy changes in secured clusters.
NodeView existing Kubernetes nodes in secured clusters.N/A
NotifierView existing integrations for notification systems like email, Jira, or webhooks.Create, modify, or delete these integrations.
PolicyView existing system policies.Create, modify, or delete system policies.
ProbeUploadRead manifests for the uploaded probe files.Upload support packages to Central.
ProcessWhitelistView process baselines.Add or remove processes from baselines.
RiskView Risk results.N/A
RoleView existing StackRox RBAC roles and their permissions.Add, modify, or delete roles and their permissions.
ScannerBundleDownload the scanner bundle.N/A
ScannerDefinitionsList existing image scanner integrations.Create, modify, or delete image scanner integrations.
SecretView metadata about secrets in secured clusters.N/A
SensorUpgradeConfigCheck the status of automatic upgrades.Disable or enable automatic upgrades for secured clusters.
ServiceAccountList Kubernetes service accounts in secured clusters.N/A
ServiceIdentityView metadata about StackRox service-to-service authentication.Revoke or reissue service-to-service authentication credentials.
UserView users that have accessed your StackRox instance, including the metadata that the authentication provider provides about them.N/A
WatchedImageView monitored images that aren’t deployed in the cluster.Configure images to watch for vulnerabilities

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.