Description / background info

Managing RBAC in OpenShift Virtualization today presents challenges around granularity, consistency across single and multicluster environments, and an intuitive permissions experience. Customers need a scalable, role-based access control model that streamlines permission management across clusters, integrates with identity providers, and simplifies access configuration while maintaining security.

At the December 2024 Virtualization vF2F, stakeholders highlighted the need for improving roles and definitions, permission structures, and consistency in the experience for managing RBAC in OpenShift Virtualization both within a single cluster and across a fleet of clusters. This work will improve usability, security, and operational efficiency, ensuring customers can assign roles effectively, visualize permissions, and manage access at scale.

Goals and outcomes

The outcome this effort aims to achieve is to deliver a unified and scalable RBAC framework that enhances fine-grained access control, intuitive permissions management, and global RBAC consistency for OpenShift Virtualization by:

• Ensuring a seamless experience for managing permissions across single and multicluster environments
• Providing a more intuitive experience for defining, assigning, and managing roles and permissions in the UI
• Improving fine-grained access control so admins can enforce role-based permissions at the cluster, namespace, or object level
• Enabling effective permission management at scale, reducing reliance on manual configurations and YAML-based role definitions

Customer input

"At UPS, they’re starting to do self-service with the vRealize or Aria, and now they want to do it through ACM. But it has to… provide that RBAC, ideally on a per object level, but generally they apply that at the folder level in vCenter.” 

• Source: Principal Consulting Architect

“I think being able to split out the permissions in RBAC and being able to simply say something like, ‘Hey, I want this person to be able to see the logs and that's all they get,’ that would essentially eliminate a lot of the issues that we have... that would be a generic benefit from not just OpenShift Virt or OpenShift, but across the entire environment.”

• Source: Solution Architect

“When we actually went through the permissions UI (in ACS), the way that’s set up is really efficient and really easy to understand with the groups and access lists and scope. I think if Red Hat implemented that in terms of OpenShift in general, that would actually end up fixing all of those issues.” 

• Source: Principal Consulting Architect

"The equivalent in our case would be, well I guess we’re adding this folder thing that’s based on like labels or annotations, but that level or on a project level in OpenShift, which would be a project in the spoke cluster, not in the hub cluster.”

• Source: Principal Consulting Architect

Tracking success

We will track the success of these initiatives through determining the appropriate analytics, identifying key metrics, and prioritizing continuous customer feedback through surveys and usability testing.

Definition of done - Targeted for [estimate a timeframe once known/In Progress]

• Stakeholders have approved solutions for fine-grained access control, intuitive permissions, and global RBAC consistency

Design artifacts

TBD