Red Hat Advanced Cluster Security for Kubernetes provides ways to implement multi-tenancy within a Central instance.
You can implement multi-tenancy by using role-based access control (RBAC) and access scopes within RHACS.
RHACS includes resources which are used within RBAC. In addition to associating permissions for a resource, each resource is also scoped.
In RHACS, resources are scoped as the following types:
Global scope, where a resource is not assigned to any cluster or namespace
Cluster scope, where a resource is assigned to particular clusters
Namespace scope, where a resource is assigned to particular namespaces
The scope of resources is important when creating custom access scopes. Custom access scopes are used to create multi-tenancy within RHACS.
Only resources which are cluster or namespace scoped are applicable for scoping in access scopes. Globally scoped resources are not scoped by access scopes. Therefore, multi-tenancy within RHACS can only be achieved for resources that are scoped either by cluster or namespace.
A common example for multi-tenancy within RHACS is associating users with a specific namespace and only allowing them access to their specific namespace.
The following example combines a custom permission set, access scope, and role. The user or group assigned with this role can only see CVE information, violations, and information about deployments in the particular namespace or cluster scoped to them.
In the RHACS portal, select Platform Configuration → Access Control.
Select Permission Sets.
Click Create permission set.
Enter a Name and Description for the permission set.
Select the following resources and access level and click Save:
READ
Alert
READ
Deployment
READ
DeploymentExtension
READ
Image
READ
K8sRole
READ
K8sRoleBinding
READ
K8sSubject
READ
NetworkGraph
READ
NetworkPolicy
READ
Secret
READ
ServiceAccount
Select Access Scopes.
Click Create access scope.
Enter a Name and Description for the access scope.
In the Allowed resources section, select the namespace you want to use for scoping and click Save.
Select Roles.
Click Create role.
Enter a Name and Description for the role.
Select the previously created Permission Set and Access scope for the role and click Save.
Assign the role to your required user or group. See Assigning a role to a user or a group.
The RHACS dashboard options for users with the sample role are minimal compared to options available to an administrator. Only relevant pages are visible for the user. |
Achieving multi-tenancy within RHACS is not possible for resources with a global scope.
The following resources have a global scope:
Access
Administration
Detection
Integration
VulnerabilityManagementApprovals
VulnerabilityManagementRequests
WatchedImage
WorkflowAdministration
These resources are shared across all users within a RHACS Central instance and cannot be scoped.