Neuvector 与 Rancher RBAC 集成
发表: |更新:
|字数总计: 605|阅读时长: 2分钟|阅读量:
本文永久链接: https://www.xtplayer.cn/neuvector/rancher-neuvector-sso-rbac/
创建角色模板
将以下的角色模板导入 local 集群,
administrative: false
apiVersion: management.cattle.io/v3
builtin: false
clusterCreatorDefault: false
context: cluster
displayName: Neuvector UI Proxy
external: false
hidden: false
kind: RoleTemplate
locked: false
metadata:
annotations:
cleanup.cattle.io/rtUpgradeCluster: 'true'
lifecycle.cattle.io/create.mgmt-auth-roletemplate-lifecycle: 'true'
finalizers:
- controller.cattle.io/mgmt-auth-roletemplate-lifecycle
labels:
cattle.io/creator: norman
name: neuvector-ui-proxy
projectCreatorDefault: false
roleTemplateNames: []
rules:
- apiGroups:
- neuvector.com
resources:
- '*'
verbs:
- get
- apiGroups:
- ''
resourceNames:
- 'https:neuvector-service-webui:8443'
resources:
- services/proxy
verbs:
- get
- patch
- create
- apiGroups:
- ''
resourceNames: []
resources:
- namespaces
verbs:
- list
---
apiVersion: management.cattle.io/v3
kind: GlobalRole
displayName: All Downstream Neuvector UI Proxy
metadata:
name: all-downstream-neuvector-ui-proxy
inheritedClusterRoles:
- neuvector-ui-proxy
|
administrative: false
apiVersion: management.cattle.io/v3
builtin: false
clusterCreatorDefault: false
context: cluster
displayName: Neuvector Cluster Role
external: false
hidden: false
kind: RoleTemplate
locked: false
metadata:
annotations:
cleanup.cattle.io/rtUpgradeCluster: 'true'
lifecycle.cattle.io/create.mgmt-auth-roletemplate-lifecycle: 'true'
finalizers:
- controller.cattle.io/mgmt-auth-roletemplate-lifecycle
labels:
cattle.io/creator: norman
name: neuvector-cluster-role
projectCreatorDefault: false
roleTemplateNames: []
rules:
- apiGroups:
- permission.neuvector.com
resourceNames: []
resources:
- AdmissionControl
verbs:
- '*'
- apiGroups:
- permission.neuvector.com
resourceNames: []
resources:
- Authentication
verbs:
- '*'
- apiGroups:
- permission.neuvector.com
resourceNames: []
resources:
- CIScan
verbs:
- '*'
|
administrative: false
apiVersion: management.cattle.io/v3
builtin: false
clusterCreatorDefault: false
context: project
displayName: Neuvector Project Role
external: false
hidden: false
kind: RoleTemplate
locked: false
metadata:
annotations:
cleanup.cattle.io/rtUpgradeCluster: 'true'
lifecycle.cattle.io/create.mgmt-auth-roletemplate-lifecycle: 'true'
finalizers:
- controller.cattle.io/mgmt-auth-roletemplate-lifecycle
labels:
cattle.io/creator: norman
name: neuvector-project-role
projectCreatorDefault: false
roleTemplateNames: []
rules:
- apiGroups:
- permission.neuvector.com
resourceNames: []
resources:
- AuditEvents
verbs:
- '*'
- apiGroups:
- permission.neuvector.com
resourceNames: []
resources:
- Authorization
verbs:
- '*'
- apiGroups:
- permission.neuvector.com
resourceNames: []
resources:
- Events
verbs:
- '*'
|
集群角色模板和项目角色模板说明
参考文档 https://open-docs.neuvector.com/integration/rancher_sso_rbac/ 的说明,
- neuvector AdmissionControl, Authentication, CIScan, Cluster, Federation and Vulnerability 功能对应集群范围的权限
- neuvector AuditEvents, Authorization, Compliance, Events, Namespace, RegistryScan, RuntimePolicy, RuntimeScan, SecurityEvents and SystemConfig 功能对应命名空间\项目范围的权限
因此,如果想对权限进行细分,比如用户 A 只允许拥有 AuditEvents、Authorization 项目功能的只读权限,那可以创建一个项目模板,然后添加对应功能的 get 权限即可。集群功能权限以此类推。
创建用户分配权限
- 创建一个 rancher 用户,全局用户选择普通用户,并且在页面最下边自定义角色中选择 All Downstream Neuvector UI Proxy。
- 切户到集群成员或者项目成员配置页,选择用户并且选择 Neuvector Cluster Role 或者 Neuvector Project Role 角色。
wechat
alipay