Add RBAC enhancement documentation to NeuVector integration docs. #4280
Conversation
Co-authored-by: Jen Travinski <[email protected]>
Co-authored-by: Jen Travinski <[email protected]> Co-authored-by: Billy Tat <[email protected]>
|
|
||
| This article is intended for users who need to provide access to the NeuVector app deployed via the Rancher app catalog with the Rancher chart. This will not work on deployments using the partner chart. | ||
|
|
||
| By default, a Rancher cluster admin and a global admin will automatically be mapped to be global admins within NeuVector. In order to map other personas, some access will need to be provided to the Rancher user/group depending on the desired access within NeuVector. Please note that adding the below permissions will not provide access to any Kubernetes resources beyond what is already given by existing Rancher roles, with one exception: the NeuVector service proxy. |
There was a problem hiding this comment.
Please note that adding the below permissions will not provide access to any Kubernetes resources beyond what is already given by existing Rancher roles, with one exception: the NeuVector service proxy.
I still don't think this is accurate. If I'm a project member who only has access to my single custom project, and then you give me NV admin permissions, I can now see many things I couldn't see before. I just have to click on Network activity and now I have indirect GET/LIST access on all sorts of things: cattle-cluster-agent, fleet-agent, node information, ingress information, traffic flow between them etc... I don't have the raw k8s RBAC to get that info directly from the API server, but I've just used the NV service-account to proxy that information for me. Once you get into policy stuff you can go beyond Get/List and into Create/Update.
| @@ -181,8 +181,6 @@ kubectl patch cronjob neuvector-updater-pod -n cattle-neuvector-system --patch ' | |||
|
|
|||
| ### Support Limitations | |||
|
|
|||
| * Only admins and cluster owners are currently supported. | |||
There was a problem hiding this comment.
Even with below solution I think this part is accurate. We don't support 1:1 mapping of project-members, project-owners, or cluster-members.
|
@horantj we[rancherqa] haven't validated this. could you link any ticket if we have for these tests? |
Per customer request, we have documented the necessary permissions within Rancher that will enable users to log in to NeuVector using the ranchersso functionality.
This has been tested at project and cluster level, using built in users and github groups.