From 6321b326ffe4c3a159df4934ea534fa7f0ce9e11 Mon Sep 17 00:00:00 2001 From: hridyesh bisht Date: Tue, 5 May 2026 14:52:42 +0530 Subject: [PATCH] Updating Rancher Rbac permissions --- docs/08.integration/12.rancher_sso_rbac.md | 46 ++++++++++++++++++- .../08.integration/12.rancher_sso_rbac.md | 45 +++++++++++++++++- .../08.integration/12.rancher_sso_rbac.md | 44 +++++++++++++++++- 3 files changed, 131 insertions(+), 4 deletions(-) diff --git a/docs/08.integration/12.rancher_sso_rbac.md b/docs/08.integration/12.rancher_sso_rbac.md index 305b4134e..2ca5a435e 100644 --- a/docs/08.integration/12.rancher_sso_rbac.md +++ b/docs/08.integration/12.rancher_sso_rbac.md @@ -26,7 +26,51 @@ Below are supported role mappings for NeuVector Verbs, Resources, and API Groups * Resources - Namespaced: AuditEvents, Authorization, Compliance, Events, Namespace, RegistryScan, RuntimePolicy, RuntimeScan, SecurityEvents and SystemConfig - + + + +#### Required API groups for Rancher SSO + +In addition to `permission.neuvector.com`, include the appropriate NeuVector API groups based on your access requirements. For example, a `read-only` configuration requires: + +* `read-only.neuvector.api.io`: Maps the user to the NeuVector reader role and enforces application-level access. +* `neuvector.com`: Provides access to NeuVector CRDs in Kubernetes. The UI uses this API group to retrieve resources such as `NvSecurityRule`, `NvGroupDefinition`, and `NvDlpSecurityRule`. + +note::: +You must include `neuvector.com` in all configurations. If you omit it, the NeuVector UI cannot retrieve required resources and does not render correctly. +::: + +To enable access through Rancher SSO, assign roles at both the cluster and project levels. + +* Cluster-level requirements + * Assign the built-in Cluster Member role. This allows the Rancher UI extension to validate the cluster environment. +* Assign a cluster role (for example, `nv-ui-bridge`) with permissions for: + * services/proxy + * Navigation and UI access + +Define a project role to control what users can view or modify within a project. The following example shows a `read-only` role. Modify verbs and API groups to match your access model. + +```yaml +apiVersion: management.cattle.io/v3 +kind: RoleTemplate +metadata: + name: nv-project-viewer +displayName: NeuVector Project Viewer +context: project +rules: + - apiGroups: + - read-only.neuvector.api.io + resources: + - '*' + verbs: + - get + - apiGroups: + - neuvector.com + resources: + - '*' + verbs: + - get +``` #### Resource Display and Logical Name Mapping Table diff --git a/versioned_docs/version-5.4/08.integration/12.rancher_sso_rbac.md b/versioned_docs/version-5.4/08.integration/12.rancher_sso_rbac.md index 305b4134e..e28ccc157 100644 --- a/versioned_docs/version-5.4/08.integration/12.rancher_sso_rbac.md +++ b/versioned_docs/version-5.4/08.integration/12.rancher_sso_rbac.md @@ -26,7 +26,50 @@ Below are supported role mappings for NeuVector Verbs, Resources, and API Groups * Resources - Namespaced: AuditEvents, Authorization, Compliance, Events, Namespace, RegistryScan, RuntimePolicy, RuntimeScan, SecurityEvents and SystemConfig - + +#### Required API groups for Rancher SSO + +In addition to `permission.neuvector.com`, include the appropriate NeuVector API groups based on your access requirements. For example, a `read-only` configuration requires: + +* `read-only.neuvector.api.io`: Maps the user to the NeuVector reader role and enforces application-level access. +* `neuvector.com`: Provides access to NeuVector CRDs in Kubernetes. The UI uses this API group to retrieve resources such as `NvSecurityRule`, `NvGroupDefinition`, and `NvDlpSecurityRule`. + +note::: +You must include `neuvector.com` in all configurations. If you omit it, the NeuVector UI cannot retrieve required resources and does not render correctly. +::: + +To enable access through Rancher SSO, assign roles at both the cluster and project levels. + +* Cluster-level requirements + * Assign the built-in Cluster Member role. This allows the Rancher UI extension to validate the cluster environment. +* Assign a cluster role (for example, `nv-ui-bridge`) with permissions for: + * services/proxy + * Navigation and UI access + +Define a project role to control what users can view or modify within a project. The following example shows a `read-only` role. Modify verbs and API groups to match your access model. + +```yaml +apiVersion: management.cattle.io/v3 +kind: RoleTemplate +metadata: + name: nv-project-viewer +displayName: NeuVector Project Viewer +context: project +rules: + - apiGroups: + - read-only.neuvector.api.io + resources: + - '*' + verbs: + - get + - apiGroups: + - neuvector.com + resources: + - '*' + verbs: + - get +``` + #### Resource Display and Logical Name Mapping Table diff --git a/versioned_docs/version-5.5/08.integration/12.rancher_sso_rbac.md b/versioned_docs/version-5.5/08.integration/12.rancher_sso_rbac.md index 305b4134e..89fa7c26d 100644 --- a/versioned_docs/version-5.5/08.integration/12.rancher_sso_rbac.md +++ b/versioned_docs/version-5.5/08.integration/12.rancher_sso_rbac.md @@ -15,7 +15,6 @@ In the Rancher console, Users & Authentication -> Role Templates page, customers ### Supported Custom NeuVector Role Mapping in Rancher SSO Below are supported role mappings for NeuVector Verbs, Resources, and API Groups used on the Rancher UI -> Users & Authentication -> Role Template -> Create Global, Cluster or Project Role Template: - * APIGroup: permission.neuvector.com * Verbs: get -> read-only(i.e. view) @@ -26,7 +25,48 @@ Below are supported role mappings for NeuVector Verbs, Resources, and API Groups * Resources - Namespaced: AuditEvents, Authorization, Compliance, Events, Namespace, RegistryScan, RuntimePolicy, RuntimeScan, SecurityEvents and SystemConfig - +#### Required API groups for Rancher SSO + +In addition to `permission.neuvector.com`, include the appropriate NeuVector API groups based on your access requirements. For example, a `read-only` configuration requires: + +* `read-only.neuvector.api.io`: Maps the user to the NeuVector reader role and enforces application-level access. +* `neuvector.com`: Provides access to NeuVector CRDs in Kubernetes. The UI uses this API group to retrieve resources such as `NvSecurityRule`, `NvGroupDefinition`, and `NvDlpSecurityRule`. + +note::: +You must include `neuvector.com` in all configurations. If you omit it, the NeuVector UI cannot retrieve required resources and does not render correctly. +::: + +To enable access through Rancher SSO, assign roles at both the cluster and project levels. + +* Cluster-level requirements + * Assign the built-in Cluster Member role. This allows the Rancher UI extension to validate the cluster environment. +* Assign a cluster role (for example, `nv-ui-bridge`) with permissions for: + * services/proxy + * Navigation and UI access + +Define a project role to control what users can view or modify within a project. The following example shows a `read-only` role. Modify verbs and API groups to match your access model. + +```yaml +apiVersion: management.cattle.io/v3 +kind: RoleTemplate +metadata: + name: nv-project-viewer +displayName: NeuVector Project Viewer +context: project +rules: + - apiGroups: + - read-only.neuvector.api.io + resources: + - '*' + verbs: + - get + - apiGroups: + - neuvector.com + resources: + - '*' + verbs: + - get +``` #### Resource Display and Logical Name Mapping Table