Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-19799

ACM 2.14 Doc TP Fine Grained RBAC (Met with team, gathering info 6/1)

XMLWordPrintable

    • None

      Note: Doc team updates the current version of the documentation and the
      two previous versions (n-2), but we address *only high-priority, or
      customer-reported issues* for -2 releases in support.
      Describe the changes in the doc and link to your dev story:

      1. - [ ] Mandatory: Add the required version to the Fix version/s field.

      2. - [ ] Mandatory: Choose the type of documentation change or review.

      • [ ] We need to update to an existing topic
      • [X] We need to add a new document to an existing section
      • [ ] We need a whole new section; this is a function not
        documented before and doesn't belong in any current section
      • [ ] We need an Operator Advisory review and approval
      • [ ] We need a z-Stream (Errata) Advisory and Release note for
        MCE and/or ACM

      3. - [ ] Mandatory: Find the link to where the documentation update
      should go and add it to the recommended changes. You can either use the
      published doc or the staged repo for this step:

      Note: As the feature and doc is understood, this recommendation may
      change. If this is new documentation, link to the section where you think
      it should be placed.

      Customer Portal published version

      OCP resource: https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/virtualization/about
      ACM Virt doc: https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/virtualization/acm-virt

      ACM RBAC doc: https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/secure_clusters/index

      emingora using the links above, please help draft the documents that we need to add to 2.14. You can also look at the source, as well. We need section 4 filled out as much as possible.

      Doc staged repo within the ACM Workspace:

      https://github.com/stolostron/rhacm-docs/blob/2.14_stage/secure_cluster/securing_cluster_intro.adoc

      https://github.com/stolostron/rhacm-docs/blob/2.14_stage/virtualization/virtualization_intro.adoc

      4. - [ ] Mandatory for GA content:

      • [ ] Add steps, the diff, known issue, and/or other important
        conceptual information in the following space:

      Prerequisites

      • In the mch cr, under spec.overrides.components, fine-grained-rbac-preview needs to be enabled to true to turn on the feature
      • In the mch cr, under spec.overrides.components, search needs to be enabled in order to leverage its functionality to retrieve list of namespaces of managed clusters that can represent virtual machines that are to be used for access control
      • On the hub cluster, clusterroles will need to be labeled with rbac.open-cluster-management.io/filter=vm-clusterroles in order for it to appear and be added in the ui when creating or editing clusterpermissions
      • This is more of an assumption but it is assumed that the user has the virtual machines by creating or migrating them on the hub cluster which gives the managedcluster namespaces to work with

      These clusterroles can either be created manually by the user or already created if the customer has installed operators that create these clusterroles. The expected clusterroles would be these linked in the doc which are kubevirt view, kubevirt edit, kubevirt admin.
      https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/virtualization/about#default-cluster-roles-for-virt_virt-security-policies

      The goal of having fine grained rbac is to give the customers the ability to manage and control permissions at a namespace level on managed clusters rather than just at a cluster level. This means if a cluster admin only wants to give user A access with certain permissions to namespace A, they can do that now using fine grained rbac instead of having to give the user certian permissions across that entire managed cluster (virtual machine)

      • [ ] *Add Required access level *(example, *Cluster
        Administrator*) for the user to complete the task:

      Cluster administrator (Note - main customer seems to be vmware admins for tech preview in 2.14)

      • [ ] Add verification at the end of the task, how does the user
        verify success (a command to run or a result to see?)

      ClusterPermission resource is created and shows a ready status, will show in a demo video

      5. - [ ] Mandatory for bugs: What is the diff? Clearly define what the
      problem is, what the change is, and link to the current documentation. Only
      use this for a documentation bug.

              bswope@redhat.com Brandi Swope
              rhn-support-cstark Christian Stark
              Enrique Mingorance Cano, Kurtis Wang
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: