Description

1. Proposed title of this feature request
   Enhanced Multi-Tenancy in RHACS for Centralized Security with Per-Cluster Management

1. What is the nature and description of the request?

Current Situation:
RHACS offers RBAC capabilities to configure roles and grant access to Red Hat Advanced Cluster Security for Kubernetes. It includes immutable default roles and supports custom role creation. However, RHACS lacks granular multi-tenancy features necessary for environments with a centralized security team and distributed cluster management.

In scenarios where a centralized security team owns the ACS Central instance and requires full access to all clusters, individual teams need the ability to independently manage their own clusters without visibility or control over others. Currently, there is no way to effectively enforce these boundaries while using a centralized ACS deployment.

Proposed Solution:
Introduce multi-tenancy features that allow:

• • A centralized security team to maintain full access to ACS Central and manage global policies, risks, and violations.
  • Individual teams to manage their respective clusters with limited scope, enabling them to:
    • View and resolve violations specific to their cluster(s).
    • Create and apply security policies scoped to their cluster(s).
    • Accept risks and generate reports applicable to their cluster(s).
  • Clear isolation between clusters so teams cannot view or modify other clusters' settings or policies.
    Use Case:
    A centralized security team within an agency oversees the security posture across multiple clusters via ACS Central. Each cluster is managed by a distinct team responsible for addressing security issues in their environment. These teams need autonomy in managing their clusters without overstepping boundaries set by the centralized security team.

Expectations:

• • The centralized security team retains global administrative access to ACS Central.
  • Cluster-specific roles allow team leads or designated administrators to manage security for their clusters independently, including:
    • Viewing violations.
    • Managing risks.
    • Creating and applying policies.
  • Teams cannot view or interact with other clusters outside their scope.

1. Why does the customer need this?

Justification:
This functionality is critical for agencies operating in regulated environments or with strict security requirements. Centralized oversight is needed for compliance, but individual teams must manage their clusters efficiently to address security vulnerabilities promptly.

By delegating cluster-level responsibilities to individual teams, the centralized security team can focus on high-level security strategy and oversight. This approach reduces bottlenecks, improves response times, and ensures accountability for each team’s cluster while maintaining overall security integrity.

1. List any affected packages or components.

• • RBAC management
  • Policy creation and enforcement
  • Risk acceptance workflows
  • Reporting and notifications