The documentation is under development and may contain incomplete information.

Description

DVP provides a standard set of roles for managing access to project and cluster resources. There are two types of roles:

  • Use roles: Assigned to project users, allowing them to manage resources within a specified project.
  • Manage roles: Intended for DVP administrators, granting them permissions to manage resources at the platform-wide level.

Platform permissions are configured using the standard Kubernetes RBAC approach. This involves creating RoleBinding or ClusterRoleBinding resources to assign the appropriate role.

Use roles

Use roles grant permissions to a user within a specified project and define access to project resources. These roles can only be used with a RoleBinding resource.

DVP provides the following use roles:

  • d8:use:role:viewer: Allows viewing project resources and authenticate to the cluster.
  • d8:use:role:user: Includes all permissions from the d8:use:role:viewer role and also allows viewing RBAC secrets and resources, connect to virtual machines, and run the d8 k proxy command.
  • d8:use:role:manager: Includes all permissions from the d8:use:role:user role and also allows managing project resources.
  • d8:use:role:admin: Includes all permissions from the d8:use:role:manager role and also allows managing the following resources: ResourceQuota, ServiceAccount, Role, RoleBinding, NetworkPolicy, and VirtualImage.

Example of administrator permissions granted to the joe user in the vms project:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: project-admin-joe
  namespace: vms
subjects:
- kind: User
  name: joe@example.com # For users.deckhouse.io, the parameter is .spec.email
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: d8:use:role:admin
  apiGroup: rbac.authorization.k8s.io

Example of administrator permissions granted to the vms-admins user group in the vms project:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: project-admin-joe
  namespace: vms
subjects:
- kind: Group
  name: vms-admins # For groups.deckhouse.io, the parameter is .spec.name
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: d8:use:role:admin
  apiGroup: rbac.authorization.k8s.io

Manage roles

Manage roles grant permissions to manage the following:

  • DVP cluster resources
  • DVP module settings
  • Module components in projects with the d8-* and kube-* prefixes

DVP provides the following manage roles, allowing to manage all subsystems of the all cluster:

  • d8:manage:all:viewer: Grants permissions to view module configurations (moduleConfig resources) and access cluster-wide resources of these modules.
  • d8:manage:all:manager: Includes all permissions from the viewer role and also allows managing module configurations and cluster-wide resources of these modules.

Example of cluster administrator permissions granted to the joe user:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-joe
subjects:
- kind: User
  name: joe@example.com # For users.deckhouse.io, the parameter is .spec.email
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: d8:manage:all:admin # Manage role name
  apiGroup: rbac.authorization.k8s.io

DVP can grant restricted permissions to administrators for managing resources and modules associated with specific subsystems.

To assign network subsystem administrator permissions to the joe user, use the following configuration:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: network-admin-joe
subjects:
- kind: User
  name: joe@example.com # For users.deckhouse.io, the parameter is .spec.email
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: d8:manage:networking:admin # Manage role name
  apiGroup: rbac.authorization.k8s.io

Subsystem management role names follow the d8:manage:<SUBSYSTEM>:<ACCESS_LEVEL> format, where:

  • <SUBSYSTEM> indicates the subsystem name.
  • <ACCESS_LEVEL> indicates the access level, similar to the roles for the all subsystem.

The subsystems available for manage roles are listed in the following table:

Namespaces in which modules of a scope operate
all All modules All namespaces
deckhouse
  • deckhouse
  • multitenancy-manager
  • d8-multitenancy-manager
  • d8-system
infrastructure
  • ceph-csi
  • chrony
  • cloud-provider-aws
  • cloud-provider-azure
  • cloud-provider-gcp
  • cloud-provider-openstack
  • cloud-provider-vcd
  • cloud-provider-vsphere
  • cloud-provider-yandex
  • cloud-provider-zvirt
  • descheduler
  • istio
  • keepalived
  • local-path-provisioner
  • loki
  • node-manager
  • pod-reloader
  • snapshot-controller
  • terraform-manager
  • vertical-pod-autoscaler
  • d8-ceph-csi
  • d8-chrony
  • d8-cloud-instance-manager
  • d8-cloud-provider-aws
  • d8-cloud-provider-azure
  • d8-cloud-provider-gcp
  • d8-cloud-provider-openstack
  • d8-cloud-provider-vcd
  • d8-cloud-provider-vsphere
  • d8-cloud-provider-yandex
  • d8-cloud-provider-zvirt
  • d8-descheduler
  • d8-istio
  • d8-keepalived
  • d8-local-path-provisioner
  • d8-monitoring
  • d8-pod-reloader
  • d8-snapshot-controller
  • d8-system
  • kube-system
kubernetes
  • control-plane-manager
  • flow-schema
  • kube-dns
  • kube-proxy
  • priority-class
  • kube-system
networking
  • cilium-hubble
  • cni-cilium
  • cni-flannel
  • cni-simple-bridge
  • flow-schema
  • ingress-nginx
  • istio
  • kube-dns
  • kube-proxy
  • metallb
  • network-gateway
  • network-policy-engine
  • node-local-dns
  • openvpn
  • static-routing-manager
  • d8-cni-cilium
  • d8-cni-flannel
  • d8-cni-simple-bridge
  • d8-ingress-nginx
  • d8-istio
  • d8-metallb
  • d8-network-gateway
  • d8-openvpn
  • d8-static-routing-manager
  • d8-system
  • kube-system
observability
  • dashboard
  • extended-monitoring
  • log-shipper
  • monitoring-applications
  • monitoring-custom
  • monitoring-deckhouse
  • monitoring-kubernetes
  • monitoring-kubernetes-control-plane
  • monitoring-ping
  • okmeter
  • operator-prometheus
  • prometheus
  • prometheus-metrics-adapter
  • prometheus-pushgateway
  • upmeter
  • d8-dashboard
  • d8-log-shipper
  • d8-monitoring
  • d8-okmeter
  • d8-operator-prometheus
  • d8-upmeter
  • kube-prometheus-pushgateway
security
  • admission-policy-engine
  • cert-manager
  • operator-trivy
  • runtime-audit-engine
  • secret-copier
  • user-authn
  • user-authz
  • d8-admission-policy-engine
  • d8-cert-manager
  • d8-operator-trivy
  • d8-runtime-audit-engine
  • d8-user-authn
storage
  • ceph-csi
  • snapshot-controller
  • d8-ceph-csi
  • d8-snapshot-controller