Skip to content

Updating Rancher Rbac permissions #248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kakabisht wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Updating Rancher Rbac permissions #248

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 45 additions & 1 deletion docs/08.integration/12.rancher_sso_rbac.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,51 @@ Below are supported role mappings for NeuVector Verbs, Resources, and API Groups

* Resources - Namespaced: AuditEvents, Authorization, Compliance, Events, Namespace, RegistryScan, RuntimePolicy, RuntimeScan, SecurityEvents and SystemConfig





#### Required API groups for Rancher SSO

In addition to `permission.neuvector.com`, include the appropriate NeuVector API groups based on your access requirements. For example, a `read-only` configuration requires:

* `read-only.neuvector.api.io`: Maps the user to the NeuVector reader role and enforces application-level access.
* `neuvector.com`: Provides access to NeuVector CRDs in Kubernetes. The UI uses this API group to retrieve resources such as `NvSecurityRule`, `NvGroupDefinition`, and `NvDlpSecurityRule`.

note:::
You must include `neuvector.com` in all configurations. If you omit it, the NeuVector UI cannot retrieve required resources and does not render correctly.
:::

To enable access through Rancher SSO, assign roles at both the cluster and project levels.

* Cluster-level requirements
* Assign the built-in Cluster Member role. This allows the Rancher UI extension to validate the cluster environment.
* Assign a cluster role (for example, `nv-ui-bridge`) with permissions for:
* services/proxy
* Navigation and UI access

Define a project role to control what users can view or modify within a project. The following example shows a `read-only` role. Modify verbs and API groups to match your access model.

```yaml
apiVersion: management.cattle.io/v3
kind: RoleTemplate
metadata:
name: nv-project-viewer
displayName: NeuVector Project Viewer
context: project
rules:
- apiGroups:
- read-only.neuvector.api.io
resources:
- '*'
verbs:
- get
- apiGroups:
- neuvector.com
resources:
- '*'
verbs:
- get
```

#### Resource Display and Logical Name Mapping Table

Expand Down
45 changes: 44 additions & 1 deletion versioned_docs/version-5.4/08.integration/12.rancher_sso_rbac.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,50 @@ Below are supported role mappings for NeuVector Verbs, Resources, and API Groups

* Resources - Namespaced: AuditEvents, Authorization, Compliance, Events, Namespace, RegistryScan, RuntimePolicy, RuntimeScan, SecurityEvents and SystemConfig



#### Required API groups for Rancher SSO

In addition to `permission.neuvector.com`, include the appropriate NeuVector API groups based on your access requirements. For example, a `read-only` configuration requires:

* `read-only.neuvector.api.io`: Maps the user to the NeuVector reader role and enforces application-level access.
* `neuvector.com`: Provides access to NeuVector CRDs in Kubernetes. The UI uses this API group to retrieve resources such as `NvSecurityRule`, `NvGroupDefinition`, and `NvDlpSecurityRule`.

note:::
You must include `neuvector.com` in all configurations. If you omit it, the NeuVector UI cannot retrieve required resources and does not render correctly.
:::

To enable access through Rancher SSO, assign roles at both the cluster and project levels.

* Cluster-level requirements
* Assign the built-in Cluster Member role. This allows the Rancher UI extension to validate the cluster environment.
* Assign a cluster role (for example, `nv-ui-bridge`) with permissions for:
* services/proxy
* Navigation and UI access

Define a project role to control what users can view or modify within a project. The following example shows a `read-only` role. Modify verbs and API groups to match your access model.

```yaml
apiVersion: management.cattle.io/v3
kind: RoleTemplate
metadata:
name: nv-project-viewer
displayName: NeuVector Project Viewer
context: project
rules:
- apiGroups:
- read-only.neuvector.api.io
resources:
- '*'
verbs:
- get
- apiGroups:
- neuvector.com
resources:
- '*'
verbs:
- get
```


#### Resource Display and Logical Name Mapping Table

Expand Down
44 changes: 42 additions & 2 deletions versioned_docs/version-5.5/08.integration/12.rancher_sso_rbac.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ In the Rancher console, Users & Authentication -> Role Templates page, customers
### Supported Custom NeuVector Role Mapping in Rancher SSO

Below are supported role mappings for NeuVector Verbs, Resources, and API Groups used on the Rancher UI -> Users & Authentication -> Role Template -> Create Global, Cluster or Project Role Template:

* APIGroup: permission.neuvector.com

* Verbs: get -> read-only(i.e. view)
Expand All @@ -26,7 +25,48 @@ Below are supported role mappings for NeuVector Verbs, Resources, and API Groups

* Resources - Namespaced: AuditEvents, Authorization, Compliance, Events, Namespace, RegistryScan, RuntimePolicy, RuntimeScan, SecurityEvents and SystemConfig


#### Required API groups for Rancher SSO

In addition to `permission.neuvector.com`, include the appropriate NeuVector API groups based on your access requirements. For example, a `read-only` configuration requires:

* `read-only.neuvector.api.io`: Maps the user to the NeuVector reader role and enforces application-level access.
* `neuvector.com`: Provides access to NeuVector CRDs in Kubernetes. The UI uses this API group to retrieve resources such as `NvSecurityRule`, `NvGroupDefinition`, and `NvDlpSecurityRule`.

note:::
You must include `neuvector.com` in all configurations. If you omit it, the NeuVector UI cannot retrieve required resources and does not render correctly.
:::

To enable access through Rancher SSO, assign roles at both the cluster and project levels.

* Cluster-level requirements
* Assign the built-in Cluster Member role. This allows the Rancher UI extension to validate the cluster environment.
* Assign a cluster role (for example, `nv-ui-bridge`) with permissions for:
* services/proxy
* Navigation and UI access

Define a project role to control what users can view or modify within a project. The following example shows a `read-only` role. Modify verbs and API groups to match your access model.

```yaml
apiVersion: management.cattle.io/v3
kind: RoleTemplate
metadata:
name: nv-project-viewer
displayName: NeuVector Project Viewer
context: project
rules:
- apiGroups:
- read-only.neuvector.api.io
resources:
- '*'
verbs:
- get
- apiGroups:
- neuvector.com
resources:
- '*'
verbs:
- get
```

#### Resource Display and Logical Name Mapping Table

Expand Down