Red Hat Advanced Cluster Security for Kubernetes (RHACS) comes with role-based access control (RBAC) that you can use to configure roles and grant various levels of access to Red Hat Advanced Cluster Security for Kubernetes for different users.
In Red Hat Advanced Cluster Security for Kubernetes 3.63, a scoped access control feature has been added. If you are using Red Hat Advanced Cluster Security for Kubernetes 3.63 or newer, see Managing access control in Red Hat Advanced Cluster Security for Kubernetes 3.63 and newer. |
In Red Hat Advanced Cluster Security for Kubernetes 3.0.62 and older, different roles govern access to Red Hat Advanced Cluster Security for Kubernetes resources to prevent unwanted access.
Roles are a collection of rules, which are a group of read
and write
permissions that a user can perform on a set of resources.
Resources are the functionalities of Red Hat Advanced Cluster Security for Kubernetes for which you can set view (read
) and modify (write
) permissions.
See the Resource definitions section to understand the access level that each permission grants.
Red Hat Advanced Cluster Security for Kubernetes includes some default system roles that you can apply on users. You can also create custom roles as required.
System role | Description |
---|---|
Admin |
This role is targeted for administrators.
It has |
Analyst |
This role is targeted for a user who cannot make any changes, but can view everything. It has read-only permissions for all resources. |
Continuous Integration |
This role is targeted for CI (Continuous Integration) systems and has read-only access to check images and deployment YAML against your policies. |
None |
This role has no read and write permissions. You can set this role as the minimum access role for all users. |
Sensor Creator |
Red Hat Advanced Cluster Security for Kubernetes uses this role to automate new cluster setups.
You require this role to run the command |
You can view the permissions for the default system roles.
On the RHACS portal, navigate to Platform Configuration → Access control.
Click on the Roles and Permissions tab.
Click on one of the roles to view its associated permissions for each resource.
You cannot modify |
Red Hat Advanced Cluster Security for Kubernetes also allows you to create custom roles. You can create a custom role with one or more permissions and then grant that custom role to users. Creating custom roles enables you to enforce the principle of least privilege (PoLP). You can use these roles to give users or system accounts only those permissions that are essential to performing their intended functions.
You can create new roles from the Access Control view.
You must have the Admin role, or read and write permissions for the AuthProvider
and Role
resources to create, modify, and delete custom roles.
On the RHACS portal, navigate to Platform Configuration → Access control.
Click the Roles and Permissions tab.
From the StackRox Roles panel, click Add New Role.
Enter a name for the role in Role Name.
For each resource, under the Edit role column, select one of the permissions from No access
, Read access
, Read and Write access
.
|
Click Save.
From the Access Control view, you can modify permissions for the custom roles that you have created.
You must have the Admin role, or read and write permissions for the AuthProvider
and Role
resources to create, modify, and delete custom roles.
On the RHACS portal, navigate to Platform Configuration → Access control.
Click on the Roles and Permissions tab.
From the StackRox Roles panel, select the name of the role you want to modify.
Click Edit on the role details panel.
Modify permissions as required, and then click Save to save the changes.
You cannot modify |
From the Access Control view, you can delete the custom roles that you have created.
You must have the Admin role, or read and write permissions for the AuthProvider
and Role
resources to create, modify, and delete custom roles.
On the RHACS portal, navigate to Platform Configuration → Access control.
Click on the Roles and Permissions tab.
From the StackRox Roles panel, hover over the name of the role you want to delete and click the Delete icon.
|
You can configure a minimum access role that applies to all new users when they log in to the RHACS portal. To set a minimum access role, you must first configure an authentication provider.
|
You must have the Admin role, or read and write permissions for the AuthProvider
and Role
resources to create, modify, and delete custom roles.
On the RHACS portal, navigate to Platform Configuration → Access control.
Under Auth Providers, select the authentication provider for which you want to configure the minimum access role.
Click Edit Provider.
Under section 2 Assign StackRox roles to your <auth_provider> users, select one of the roles from Minimum access role.
Click Save.
In addition to setting up a Minimum access role, you can create rules that govern access to Red Hat Advanced Cluster Security for Kubernetes resources. You can create and apply these rules based on the metadata keys and values you set up in your authentication provider.
The metadata keys are always dependent upon the configurations in your authentication provider. For example:
|
You must have the Admin role, or read and write permissions for the AuthProvider
and Role
resources to create, modify, and delete custom roles.
On the RHACS portal, navigate to Platform Configuration → Access control.
Under Auth Providers, select the authentication provider for which you want to configure user roles.
Click Edit Provider.
Under section 2 Assign StackRox roles to your <auth_provider> users, click on Add New Rule.
Click on the Key to which this role applies.
Select a Value for the key.
Select the Role you want to assign to users matching the specified key and value.
Click Save.
|
Red Hat Advanced Cluster Security for Kubernetes includes multiple resources.
The following table lists the resources and describes the actions that users can perform with the read
or write
permission.
Resource | Read permission | Write permission |
---|---|---|
APIToken |
List existing API tokens. |
Create new API tokens or revoke existing tokens. |
Alert |
View existing policy violations. |
Resolve or edit policy violations. |
AllComments |
N/A |
Delete comments from other users.
All users can edit and delete their own comments by default.
To add and remove comments or tags, you need a role with |
AuthPlugin |
View existing Authentication plug-ins |
Modify these configurations. (Local administrator only.) |
AuthProvider |
View existing configurations for single sign-on. |
Modify these configurations. |
BackupPlugins |
View existing integrations with automated backup systems such as AWS S3. |
Modify these configurations. |
CVE |
Internal use only |
Internal use only |
Cluster |
View existing secured clusters. |
Add new secured clusters and modify or delete existing clusters. |
Compliance |
View compliance standards and results. |
N/A |
ComplianceRunSchedule |
View scheduled compliance runs. |
Create, modify, or delete scheduled compliance runs. |
ComplianceRuns |
View recent compliance runs and their completion status. |
Trigger compliance runs. |
Config |
View options for data retention, security notices, and other related configurations. |
Modify these configurations. |
DebugLogs |
View the current logging verbosity level in Red Hat Advanced Cluster Security for Kubernetes components. |
Modify the logging level. |
Deployment |
View deployments (workloads) in secured clusters. |
N/A |
Detection |
Check build-time policies against images or deployment YAML. |
N/A |
Group |
View the existing RBAC rules that match user metadata to Red Hat Advanced Cluster Security for Kubernetes roles. |
Create, modify, or delete configured RBAC rules. |
Image |
View images, their components, and their vulnerabilities. |
N/A |
ImageComponent |
Internal use only |
Internal use only |
ImageIntegration |
List existing image registry integrations. |
Create, edit, or delete image registry integrations. |
ImbuedLogs |
Internal use only |
Internal use only |
Indicator |
View process activity in deployments. |
N/A |
K8sRole |
View roles for Kubernetes role-based access control in secured clusters. |
N/A |
K8sRoleBinding |
View role bindings for Kubernetes role-based access control in secured clusters. |
N/A |
K8sSubject |
View users and groups for Kubernetes role-based access control in secured clusters. |
N/A |
Licenses |
View the status of the existing license for Red Hat Advanced Cluster Security for Kubernetes. |
Upload a new license key. |
Namespace |
View existing Kubernetes namespaces in secured clusters. |
N/A |
NetworkGraph |
View active and allowed network connections in secured clusters. |
N/A |
NetworkPolicy |
View existing network policies in secured clusters and simulate changes. |
Apply network policy changes in secured clusters. |
Node |
View existing Kubernetes nodes in secured clusters. |
N/A |
Notifier |
View existing integrations for notification systems like email, Jira, or webhooks. |
Create, modify, or delete these integrations. |
Policy |
View existing system policies. |
Create, modify, or delete system policies. |
ProbeUpload |
Read manifests for the uploaded probe files. |
Upload support packages to Central. |
ProcessWhitelist |
View process baselines. |
Add or remove processes from baselines. |
Risk |
View Risk results. |
N/A |
Role |
View existing Red Hat Advanced Cluster Security for Kubernetes RBAC roles and their permissions. |
Add, modify, or delete roles and their permissions. |
ScannerBundle |
Download the scanner bundle. |
N/A |
ScannerDefinitions |
List existing image scanner integrations. |
Create, modify, or delete image scanner integrations. |
Secret |
View metadata about secrets in secured clusters. |
N/A |
SensorUpgradeConfig |
Check the status of automatic upgrades. |
Disable or enable automatic upgrades for secured clusters. |
ServiceAccount |
List Kubernetes service accounts in secured clusters. |
N/A |
ServiceIdentity |
View metadata about Red Hat Advanced Cluster Security for Kubernetes service-to-service authentication. |
Revoke or reissue service-to-service authentication credentials. |
user |
View users that have accessed your Red Hat Advanced Cluster Security for Kubernetes instance, including the metadata that the authentication provider provides about them. |
N/A |