Portainer
/
portainer-docs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #191 from jamescarppe/master 

Added K8s Roles and Bindings advanced documentation
pull/193/head
samdulam 2021-08-03 12:08:46 +12:00 committed by GitHub
parent 34ecf912ec 46d38b8ea9
commit 3618e62ef2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 124 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
docs/v2.0-be/users/k8s-roles.md Normal file
View File

@ -0,0 +1,111 @@
# Kubernetes: Roles and Bindings
## Portainer and Kubernetes
When managing a Kubernetes environment with Portainer, the Role-Based Access Control (RBAC) configuration is based on two components:
* Kubernetes' cluster roles and namespace roles (which restrict access to Kubernetes itself)
* Portainer's authorization flags (which [restrict access](#portainer-access-restrictions) to Portainer's functionality)
The following tables provide a reference for how our Portainer roles map to capabilities within Kubernetes.
## Role Allocations
| Portainer Role | Cluster Role Binding | Namespace Role Binding |
| -------------- | ------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------- |
| Endpoint Admin | cluster-admin (k8s system) | N/A |
| Operator | [portainer-operator](#portainer-operator), [portainer-helpdesk](#portainer-helpdesk) | [portainer-view](#portainer-view) (all non-system namespaces) |
| User | [portainer-basic](#portainer-basic) | [portainer-edit](#portainer-edit), [portainer-view](#portainer-view) (only assigned namespaces) |
| Help desk | [portainer-helpdesk](#portainer-helpdesk) | [portainer-view](#portainer-view) (all non-system namespaces) |
| Read-Only | [portainer-basic](#portainer-basic) | [portainer-view](#portainer-view) (only assigned namespaces) |
## Cluster Roles
<a name="portainer-basic"></a>
### portainer-basic
| API Group | Resources | Verbs |
| ----------------- | ----------------- | ----- |
| (Empty) | namespaces, nodes | list |
| storage.k8s.io | storageclasses | list |
| networking.k8s.io | ingresses | list |
<a name="portainer-helpdesk"></a>
### portainer-helpdesk
| API Group | Resources | Verbs |
| ----------------- | ------------------------------------------------------- | ----------------- |
| (Empty) | componentstatuses, endpoints, events, namespaces, nodes | get, list, watch |
| storage.k8s.io | storageclasses | get, list, watch |
| networking.k8s.io | ingresses | get, list, watch |
<a name="portainer-operator"></a>
### portainer-operator
| API Group | Resources | Verbs |
| --------- | ------------------- | ------ |
| (Empty) | configmaps, secrets | update |
| (Empty) | pods | delete |
| apps | deployments | patch |
## Namespace Roles
<a name="portainer-edit"></a>
### portainer-edit
| API Group | Resources | Verbs |
| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- |
| (Empty) | configmaps, endpoints, persistentvolumeclaims, pods, pods/attach, pods/exec, pods/portforward, pods/proxy, replicationcontrollers, replicationcontrollers/scale, secrets, serviceaccounts, services, services/proxy | create, delete, deletecollection, patch, update |
| (Empty) | pods/attach, pods/exec, pods/portforward, pods/proxy, secrets, services/proxy | get, list, watch |
| apps | daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale | create, delete, deletecollection, patch, update |
| autoscaling | horizontalpodautoscalers | create, delete, deletecollection, patch, update |
| batch | cronjobs, jobs | create, delete, deletecollection, patch, update |
| extensions | daemonsets, deployments, deployments/rollback, deployments/scale, ingresses, networkpolicies, replicasets, replicasets/scale, replicationcontrollers/scale | create, delete, deletecollection, patch, update |
| networking.k8s.io | ingresses, networkpolicies | create, delete, deletecollection, patch, update |
| policy | poddisruptionbudgets | create, delete, deletecollection, patch, update |
<a name="portainer-view"></a>
### portainer-view
| API Group | Resources | Verbs |
| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
| (Empty) | bindings, componentstatuses, configmaps, endpoints, events, limitranges, namespaces, namespaces/status, persistentvolumeclaims, persistentvolumeclaims/status, pods, pods/log, pods/status, replicationcontrollers, replicationcontrollers/scale, replicationcontrollers/status, resourcequotas, resourcequotas/status, secrets, serviceaccounts, services, services/status | get, list, watch |
| apps | controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status | get, list, watch |
| autoscaling | horizontalpodautoscalers, horizontalpodautoscalers/status | get, list, watch |
| batch | cronjobs, cronjobs/status, jobs, jobs/status | get, list, watch |
| extensions | daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale | get, list, watch |
| networking.k8s.io | ingresses, ingresses/status, networkpolicies | get, list, watch |
| policy | poddisruptionbudgets, poddisruptionbudgets/status | get, list, watch |
<a name="portainer-access-restrictions"></a>
## Portainer Access Restrictions
| | Endpoint admin | Operator | Helpdesk | Standard User | Read-only User |
| -------------------------------- | -------------- | ------------------ | ------------------ | ------------------ | ------------------ |
| Namespace Scope | All | All, EXCEPT System | All, EXCEPT System | Default + Assigned | Default + Assigned |
| Resource Pools | RW | R | R | R | R |
| Resource Pool Details | RW | R | R | R | R |
| Resource Pool Access Management | RW | | | | |
| Applications | RW | R | R | RW | R |
| Application Details | RW | R | R | RW | R |
| Pod Delete | Yes | Yes | | | |
| Application Console | RW | RW | | | |
| Advanced Deployment | RW | | | RW | |
| Configurations | RW | R | R | RW | R |
| Configuration Details | RW | RW | R | RW | R |
| Volumes | RW | R | R | RW | R |
| Volume Details | RW | R | R | RW | R |
| Cluster | RW | R | R | | |
| Cluster Node View | RW | R | R | | |
| Cluster Setup | RW | | | | |
| Application Error Details | R | R | R | | |
| Storage Class Disabled | R | R | R | | |
<br>
## :material-note-text: Notes
[Contribute to these docs](https://github.com/portainer/portainer-docs/blob/master/contributing.md){target=_blank}

18
docs/v2.0-be/users/roles.md
View File

@ -23,17 +23,23 @@ Portainer Business come with Role-Based Access Control features that refines the
There are several types of roles:
* Endpoint Administrator: has complete control over the resources deployed within a given endpoint, but is not able to make any changes to the infrastructure that underpins an endpoint (i.e. no host management), nor are they able to make any changes to Portainer internal settings.
* <b>Endpoint Administrator</b> has complete control over the resources deployed within a given endpoint, but is not able to make any changes to the infrastructure that underpins an endpoint (i.e. no host management), nor are they able to make any changes to Portainer internal settings.
* Operator: has operational control over the resources deployed within a given endpoint. Operator is able to Update/Re-deploy/Start/Stop Containers/Services, check logs and console into containers but is not able to create any resources.
* <b>Operator</b> has operational control over the resources deployed within a given endpoint. Operator is able to Update/Re-deploy/Start/Stop Containers/Services, check logs and console into containers but is not able to create any resources.
* Helpdesk: has read-only access over the resources deployed within a given endpoint but is not able to make any changes to any resource, nor open a console to a container, or make changes to a containers volumes.
* <b>Helpdesk</b> has read-only access over the resources deployed within a given endpoint but is not able to make any changes to any resource, nor open a console to a container, or make changes to a containers volumes.
* Standard User: has complete control over the resources that a user deploys, or if the user is a member of a team, complete control over the resources that users of that team deploy.
* <b>Standard User</b> has complete control over the resources that a user deploys, or if the user is a member of a team, complete control over the resources that users of that team deploy.
* Read-Only User: has read-only access over the resources they are entitled to see (resources created by members of their team, and public resources).
* <b>Read-Only User</b> has read-only access over the resources they are entitled to see (resources created by members of their team, and public resources).
* The Administrator role sits outside of these four roles, and effectively acts as a “Global Admin”. A user assigned this role has complete control over Portainer settings, and all resources on every endpoint under Portainer control.
The <b>Administrator</b> role sits outside of these four roles, and effectively acts as a “Global Admin”. A user assigned this role has complete control over Portainer settings, and all resources on every endpoint under Portainer control.
## Docker vs Kubernetes
As Docker does not natively provide role-based access control, Portainer implements our own role management to provide this functionality. On a Kubernetes environment, we leverage the RBAC functionality built into Kubernetes alongside our own role management to provide security and flexibility to roles and access.
For more advanced details on how we map Portainer roles to Kubernetes roles, refer to our [Roles and Bindings](/v2.0-be/users/k8s-roles/) documentation.
<br>
## :material-note-text: Notes

1
mkdocs.yml
View File

@ -98,6 +98,7 @@ nav:
- 'Add a User to a Team' : 'v2.0-be/users/user-team.md'
- 'Reset User Password' : 'v2.0-be/users/reset-user.md'
- 'Reset Administrator Password' : 'v2.0-be/users/reset-admin.md'
- 'K8s: Roles and Bindings' : 'v2.0-be/users/k8s-roles.md'
- Registries:
- 'Registry Management Overview' : 'v2.0-be/registries/description.md'
- 'Connect to a Registry' : 'v2.0-be/registries/connect.md'