Managing RBAC in Red Hat Advanced Cluster Security for Kubernetes - Managing user access | Operating | Red Hat Advanced Cluster Security for Kubernetes 4.4

System roles
System permission sets
- Viewing the permissions for a system permission set
- Creating a custom permission set
System access scopes
- Viewing the details for a system access scope
- Creating a custom access scope
Resource definitions
Declarative configuration for authentication and authorization resources

Red Hat Advanced Cluster Security for Kubernetes (RHACS) comes with role-based access control (RBAC) that you can use to configure roles and grant various levels of access to Red Hat Advanced Cluster Security for Kubernetes for different users.

Beginning with version 3.63, RHACS includes a scoped access control feature that enables you to configure fine-grained and specific sets of permissions that define how a given RHACS user or a group of users can interact with RHACS, which resources they can access, and which actions they can perform.

Roles are a collection of permission sets and access scopes. You can assign roles to users and groups by specifying rules. You can configure these rules when you configure an authentication provider. There are two types of roles in Red Hat Advanced Cluster Security for Kubernetes:

System roles that are created by Red Hat and cannot be changed.

Custom roles, which Red Hat Advanced Cluster Security for Kubernetes administrators can create and change at any time.

If you assign multiple roles for a user, they get access to the combined permissions of the assigned roles.
If you have users assigned to a custom role, and you delete that role, all associated users transfer to the minimum access role that you have configured.

Permission sets are a set of permissions that define what actions a role can perform on a given resource. Resources are the functionalities of Red Hat Advanced Cluster Security for Kubernetes for which you can set view (read) and modify (write) permissions. There are two types of permission sets in Red Hat Advanced Cluster Security for Kubernetes:
- System permission sets, which are created by Red Hat and cannot be changed.
- Custom permission sets, which Red Hat Advanced Cluster Security for Kubernetes administrators can create and change at any time.
Access scopes are a set of Kubernetes and OpenShift Container Platform resources that users can access. For example, you can define an access scope that only allows users to access information about pods in a given project. There are two types of access scopes in Red Hat Advanced Cluster Security for Kubernetes:
- System access scopes, which are created by Red Hat and cannot be changed.
- Custom access scopes, which Red Hat Advanced Cluster Security for Kubernetes administrators can create and change at any time.

System roles

Red Hat Advanced Cluster Security for Kubernetes (RHACS) includes some default system roles that you can apply to users when you create rules. You can also create custom roles as required.

System role	Description
Admin	This role is targeted for administrators. Use it to provide read and write access to all resources.
Analyst	This role is targeted for a user who cannot make any changes, but can view everything. Use it to provide read-only access for all resources.
Continuous Integration	This role is targeted for CI (continuous integration) systems and includes the permission set required to enforce deployment policies.
Network Graph Viewer	This role is targeted for users who need to view the network graph.
None	This role has no read and write access to any resource. You can set this role as the minimum access role for all users.
Sensor Creator	RHACS uses this role to automate new cluster setups. It includes the permission set to create Sensors in secured clusters.
Vulnerability Management Approver	This role allows you to provide access to approve vulnerability deferrals or false positive requests.
Vulnerability Management Requester	This role allows you to provide access to request vulnerability deferrals or false positives.
Vulnerability Report Creator	This role allows you to create and manage vulnerability reporting configurations for scheduled vulnerability reports.

System role

Description

Admin

This role is targeted for administrators. Use it to provide read and write access to all resources.

Analyst

This role is targeted for a user who cannot make any changes, but can view everything. Use it to provide read-only access for all resources.

Continuous Integration

This role is targeted for CI (continuous integration) systems and includes the permission set required to enforce deployment policies.

Network Graph Viewer

This role is targeted for users who need to view the network graph.

None

This role has no read and write access to any resource. You can set this role as the minimum access role for all users.

Sensor Creator

RHACS uses this role to automate new cluster setups. It includes the permission set to create Sensors in secured clusters.

Vulnerability Management Approver

This role allows you to provide access to approve vulnerability deferrals or false positive requests.

Vulnerability Management Requester

This role allows you to provide access to request vulnerability deferrals or false positives.

Vulnerability Report Creator

This role allows you to create and manage vulnerability reporting configurations for scheduled vulnerability reports.

Viewing the permission set and access scope for a system role

You can view the permission set and access scope for the default system roles.

Procedure

In the RHACS portal, go to Platform Configuration → Access control.
Select Roles.
Click on one of the roles to view its details. The details page shows the permission set and access scope for the slected role.

You cannot modify permission set and access scope for the default system roles.

Creating a custom role

You can create new roles from the Access Control view.

Prerequisites

You must have the Admin role, or a role with the permission set with read and write permissions for the AuthProvider and Role resources to create, modify, and delete custom roles.
You must create a permissions set and an access scope for the custom role before creating the role.

Procedure

In the RHACS portal, go to Platform Configuration → Access Control.
Select Roles.
Click Create role.
Enter a Name and Description for the new role.
Select a Permission set for the role.
Select an Access scope for the role.
Click Save.

Additional resources

Assigning a role to a user or a group

You can use the RHACS portal to assign roles to a user or a group.

Procedure

In the RHACS portal, go to Platform Configuration → Access Control.
From the list of authentication providers, select the authentication provider.
Click Edit minimum role and rules.
Under the Rules section, click Add new rule.
For Key, select one of the values from userid, name, email or group.
For Value, enter the value of the user ID, name, email address or group based on the key you selected.
Click the Role drop-down menu and select the role you want to assign.
Click Save.

You can repeat these instructions for each user or group and assign different roles.

System permission sets

Red Hat Advanced Cluster Security for Kubernetes includes some default system permission sets that you can apply to roles. You can also create custom permission sets as required.

Permission set	Description
Admin	Provides read and write access to all resources.
Analyst	Provides read-only access for all resources.
Continuous Integration	This permission set is targeted for CI (continuous integration) systems and includes the permissions required to enforce deployment policies.
Network Graph Viewer	Provides the minimum permissions to view network graphs.
None	No read and write permissions are allowed for any resource.
Sensor Creator	Provides permissions for resources that are required to create Sensors in secured clusters.

Permission set

Description

Admin

Provides read and write access to all resources.

Analyst

Provides read-only access for all resources.

Continuous Integration

This permission set is targeted for CI (continuous integration) systems and includes the permissions required to enforce deployment policies.

Network Graph Viewer

Provides the minimum permissions to view network graphs.

None

No read and write permissions are allowed for any resource.

Sensor Creator

Provides permissions for resources that are required to create Sensors in secured clusters.

Viewing the permissions for a system permission set

You can view the permissions for a system permission set in the RHACS portal.

Procedure

In the RHACS portal, go to Platform Configuration → Access control.
Select Permission sets.
Click on one of the permission sets to view its details. The details page shows a list of resources and their permissions for the selected permission set.

You cannot modify permissions for a system permission set.

Creating a custom permission set

You can create new permission sets from the Access Control view.

Prerequisites

You must have the Admin role, or a role with the permission set with read and write permissions for the AuthProvider and Role resources to create, modify, and delete permission sets.

Procedure

In the RHACS portal, go to Platform Configuration → Access Control.
Select Permission sets.
Click Create permission set.
Enter a Name and Description for the new permission set.

For each resource, under the Access level column, select one of the permissions from No access, Read access, or Read and Write access.

If you are configuring a permission set for users, you must grant read-only permissions for the following resources:
- Alert
- Cluster
- Deployment
- Image
- NetworkPolicy
- NetworkGraph
- WorkflowAdministration
- Secret
These permissions are preselected when you create a new permission set.
If you do not grant these permissions, users will experience issues with viewing pages in the RHACS portal.

Click Save.

System access scopes

Red Hat Advanced Cluster Security for Kubernetes includes some default system access scopes that you can apply on roles. You can also create custom access scopes as required.

Acces scope	Description
Unrestricted	Provides access to all clusters and namespaces that Red Hat Advanced Cluster Security for Kubernetes monitors.
Deny All	Provides no access to any Kubernetes and OpenShift Container Platform resources.

Acces scope

Description

Unrestricted

Provides access to all clusters and namespaces that Red Hat Advanced Cluster Security for Kubernetes monitors.

Deny All

Provides no access to any Kubernetes and OpenShift Container Platform resources.

Viewing the details for a system access scope

You can view the Kubernetes and OpenShift Container Platform resources that are allowed and not allowed for an access scope in the RHACS portal.

Procedure

In the RHACS portal, go to Platform Configuration → Access control.
Select Access scopes.
Click on one of the access scopes to view its details. The details page shows a list of clusters and namespaces, and which ones are allowed for the selected access scope.

You cannot modify allowed resources for a system access scope.

Creating a custom access scope

You can create new access scopes from the Access Control view.

Prerequisites

You must have the Admin role, or a role with the permission set with read and write permissions for the AuthProvider and Role resources to create, modify, and delete permission sets.

Procedure

In the RHACS portal, go to Platform Configuration → Access control.
Select Access scopes.
Click Create access scope.
Enter a Name and Description for the new access scope.

Under the Allowed resources section:

Use the Cluster filter and Namespace filter fields to filter the list of clusters and namespaces visible in the list.
Expand the Cluster name to see the list of namespaces in that cluster.

To allow access to all namespaces in a cluster, toggle the switch in the Manual selection column.

Access to a specific cluster provides users with access to the following resources within the scope of the cluster:

OpenShift Container Platform or Kubernetes cluster metadata and security information
Compliance information for authorized clusters
Node metadata and security information
Access to all namespaces in that cluster and their associated security information

To allow access to a namespace, toggle the switch in the Manual selection column for a namespace.

Access to a specific namespace gives access to the following information within the scope of the namespace:

Alerts and violations for deployments
Vulnerability data for images
Deployment metadata and security information
Role and user information
Network graph, policy, and baseline information for deployments
Process information and process baseline configuration
Prioritized risk information for each deployment

If you want to allow access to clusters and namespaces based on labels, click Add label selector under the Label selection rules section. Then click Add rule to specify Key and Value pairs for the label selector. You can specify labels for clusters and namespaces.
Click Save.

Resource definitions

Red Hat Advanced Cluster Security for Kubernetes includes many resources. The following table lists the Red Hat Advanced Cluster Security for Kubernetes resources and describes the actions that users can perform with the read or write permission.

To prevent privilege escalation, when you create a new token, your role’s permissions limit the permission you can assign to that token. For example, if you only have read permission for the Integration resource, you cannot create a token with write permission.
If you want a custom role to create tokens for other users to use, you must assign the required permissions to that custom role.
Use short-lived tokens for machine-to-machine communication, such as CI/CD pipelines, scripts, and other automation. Also, use the roxctl central login command for human-to-machine communication, such as roxctl CLI or API access.

Resource	Read permission	Write permission
Access	View configurations for single sign-on (SSO) and role-based access control (RBAC) rules that match user metadata to Red Hat Advanced Cluster Security for Kubernetes roles and users that have accessed your Red Hat Advanced Cluster Security for Kubernetes instance, including the metadata that the authentication providers give about them.	Create, modify, or delete SSO configurations and configured RBAC rules.
Administration	View the following items: Options for data retention, security notices and other related configurations The current logging verbosity level in Red Hat Advanced Cluster Security for Kubernetes components Manifest content for the uploaded probe files Existing image scanner integrations The status of automatic upgrades Metadata about Red Hat Advanced Cluster Security for Kubernetes service-to-service authentication The content of the scanner bundle (download)	Edit the following items: Data retention, security notices, and related configurations The logging level Support packages in Central (upload) Image scanner integrations (create/modify/delete) Automatic upgrades for secured clusters (enable/disable) Service-to-service authentication credentials (revoke/re-issue)
Alert	View existing policy violations.	Resolve or edit policy violations.
CVE	Internal use only	Internal use only
Cluster	View existing secured clusters.	Add new secured clusters and modify or delete existing clusters.
Compliance	View compliance standards and results, recent compliance runs, and the associated completion status.	Trigger compliance runs.
Deployment	View deployments (workloads) in secured clusters.	N/A
DeploymentExtension	View the following items: Process baselines Process activity in deployments Risk results	Modify the following items: Process baselines (add or remove processes)
Detection	Check build-time policies against images or deployment YAML.	N/A
Image	View images, their components, and their vulnerabilities.	N/A
Integration	View integrations and their configuration, including backup, registry, image signature, notification systems, and API tokens.	Add, modify, and delete integrations and their configurations, and API tokens.
K8sRole	View roles for Kubernetes RBAC in secured clusters.	N/A
K8sRoleBinding	View role bindings for Kubernetes RBAC in secured clusters.	N/A
K8sSubject	View users and groups for Kubernetes RBAC in secured clusters.	N/A
Namespace	View existing Kubernetes namespaces in secured clusters.	N/A
NetworkGraph	View active and allowed network connections in secured clusters.	N/A
NetworkPolicy	View existing network policies in secured clusters and simulate changes.	Apply network policy changes in secured clusters.
Node	View existing Kubernetes nodes in secured clusters.	N/A
WorkflowAdministration	View all resource collections.	Add, modify, or delete resource collections.
Role	View existing Red Hat Advanced Cluster Security for Kubernetes RBAC roles and their permissions.	Add, modify, or delete roles and their permissions.
Secret	View metadata about secrets in secured clusters.	N/A
ServiceAccount	List Kubernetes service accounts in secured clusters.	N/A
VulnerabilityManagementApprovals	View all pending deferral or false positive requests for vulnerabilities.	Approve or deny any pending deferral or false positive requests and move any previously approved requests back to observed.
VulnerabilityManagementRequests	View all pending deferral or false positive requests for vulnerabilities.	Request a deferral on a vulnerability, mark it as a false positive, or move a pending or previously approved request made by the same user back to observed.
WatchedImage	View undeployed and monitored watched images.	Configure watched images.
WorkflowAdministration	View all resource collections.	Create, modify, or delete resource collections.

Resource

Read permission

Write permission

Access

View configurations for single sign-on (SSO) and role-based access control (RBAC) rules that match user metadata to Red Hat Advanced Cluster Security for Kubernetes roles and users that have accessed your Red Hat Advanced Cluster Security for Kubernetes instance, including the metadata that the authentication providers give about them.

Create, modify, or delete SSO configurations and configured RBAC rules.

Administration

View the following items:

Options for data retention, security notices and other related configurations
The current logging verbosity level in Red Hat Advanced Cluster Security for Kubernetes components
Manifest content for the uploaded probe files
Existing image scanner integrations
The status of automatic upgrades
Metadata about Red Hat Advanced Cluster Security for Kubernetes service-to-service authentication
The content of the scanner bundle (download)

Edit the following items:

Data retention, security notices, and related configurations
The logging level
Support packages in Central (upload)
Image scanner integrations (create/modify/delete)
Automatic upgrades for secured clusters (enable/disable)
Service-to-service authentication credentials (revoke/re-issue)

Alert

View existing policy violations.

Resolve or edit policy violations.

CVE

Internal use only

Cluster

View existing secured clusters.

Add new secured clusters and modify or delete existing clusters.

Compliance

View compliance standards and results, recent compliance runs, and the associated completion status.

Trigger compliance runs.

Deployment

View deployments (workloads) in secured clusters.

N/A

DeploymentExtension

View the following items:

Process baselines
Process activity in deployments
Risk results

Modify the following items:

Process baselines (add or remove processes)

Detection

Check build-time policies against images or deployment YAML.

N/A

Image

View images, their components, and their vulnerabilities.

N/A

Integration

View integrations and their configuration, including backup, registry, image signature, notification systems, and API tokens.

Add, modify, and delete integrations and their configurations, and API tokens.

K8sRole

View roles for Kubernetes RBAC in secured clusters.

N/A

K8sRoleBinding

View role bindings for Kubernetes RBAC in secured clusters.

N/A

K8sSubject

View users and groups for Kubernetes RBAC in secured clusters.

N/A

Namespace

View existing Kubernetes namespaces in secured clusters.

N/A

NetworkGraph

View active and allowed network connections in secured clusters.

N/A

NetworkPolicy

View existing network policies in secured clusters and simulate changes.

Apply network policy changes in secured clusters.

Node

View existing Kubernetes nodes in secured clusters.

N/A

WorkflowAdministration

View all resource collections.

Add, modify, or delete resource collections.

Role

View existing Red Hat Advanced Cluster Security for Kubernetes RBAC roles and their permissions.

Add, modify, or delete roles and their permissions.

Secret

View metadata about secrets in secured clusters.

N/A

ServiceAccount

List Kubernetes service accounts in secured clusters.

N/A

VulnerabilityManagementApprovals

View all pending deferral or false positive requests for vulnerabilities.

Approve or deny any pending deferral or false positive requests and move any previously approved requests back to observed.

VulnerabilityManagementRequests

View all pending deferral or false positive requests for vulnerabilities.

Request a deferral on a vulnerability, mark it as a false positive, or move a pending or previously approved request made by the same user back to observed.

WatchedImage

View undeployed and monitored watched images.

Configure watched images.

WorkflowAdministration

View all resource collections.

Create, modify, or delete resource collections.

Declarative configuration for authentication and authorization resources

You can use declarative configuration for authentication and authorization resources such as authentication providers, roles, permission sets, and access scopes. For instructions on how to use declarative configuration, see "Using declarative configuration" in the "Additional resources" section.

Additional resources

Using declarative configuration