Uploaded image for project: 'Virtualization Strategy'
  1. Virtualization Strategy
  2. VIRTSTRAT-51

ACM fine grained RBAC for OpenShift Virtualization

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • VIRTSTRAT-67Enhance RBAC across single and multicluster environments for OpenShift Virtualization
    • 83% To Do, 0% In Progress, 17% Done
    • Hide

      27-02 Progress and lots of good discussion. Should be able to make a more technical update soon

      Show
      27-02 Progress and lots of good discussion. Should be able to make a more technical update soon

      Epic Goal

      ...

      Enable fine-grained RBAC support in ACM so that users only see and manage Virtual Machines where they have explicit permissions. This should mirror the behavior in VMware: if a user lacks permission to see a resource or run an action in OCP, he should also not see this option in ACM.

      Why is this important?

      • Fine-grained RBAC is a standard feature in enterprise virtualization platforms like VMware, ensuring multi-tenancy, security, and compliance.
      • Many organizations run shared clusters where restricting at the ClusterSet level is insufficient—more granular controls are needed.
      • Consistent RBAC across cluster boundaries is critical when migrating VMs, preventing access privilege gaps and ensuring a seamless user experience.

      Scenarios

      • An ACM user, that has specific permissions to see resources and run operations on managed clusters, should also be limited to see and run these operations on the managed clusters from ACM.

      Acceptance Criteria

      • Users can only view or manage VMs and related resources in namespaces (and clusters) for which they have RBAC permissions.
      • If a user does not have permissions in a specific namespace, queries for VMs in that namespace should not return results.
      • The RBAC model aligns with VMware’s approach where resources are invisible to unauthorized users.

      Dependencies (internal and external)

      1. ...

      Previous Work (Optional):

      1. ...

      Open questions:

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub
        Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub
        Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Doc issue opened with a completed template. Separate doc issue
        opened for any deprecation, removal, or any current known
        issue/troubleshooting removal from the doc, if applicable.

              rhn-support-cstark Christian Stark
              rhn-support-cstark Christian Stark
              Joydeep Banerjee, Ronen Sde-Or
              Votes:
              3 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: