Usermanagement
Users will be creared in ldap and placed to ldap group. Group mapper will sync the groups and group memberships.
Roles available
Note: Content should be discussed: https://seu30.gdc-leinf01.t-systems.com/confluence/display/MSFCI/HL+-+Rolemapping
Rancher
Cluster Roles
Built-in Cluster Role | Owner | Member |
---|---|---|
Create Projects |
✓ |
✓ |
Manage Cluster Backups |
✓ |
|
Manage Cluster Catalogs |
✓ |
|
Manage Cluster Members |
✓ |
|
Manage Nodes |
✓ |
Project Roles
Built-in Project Role | Owner | Member | Read Only |
---|---|---|---|
Manage Project Members |
✓ |
||
Create Namespaces |
✓ |
✓ |
|
Manage Config Maps |
✓ |
✓ |
|
Manage Ingress |
✓ |
✓ |
|
Manage Project Catalogs |
✓ |
||
Manage Secrets |
✓ |
✓ |
|
Manage Service Accounts |
✓ |
✓ |
|
Manage Services |
✓ |
✓ |
|
Manage Volumes |
✓ |
✓ |
|
Manage Workloads |
✓ |
✓ |
|
View Secrets |
✓ |
✓ |
|
View Config Maps |
✓ |
✓ |
✓ |
View Ingress |
✓ |
✓ |
✓ |
View Project Members |
✓ |
✓ |
✓ |
View Project Catalogs |
✓ |
✓ |
✓ |
View Service Accounts |
✓ |
✓ |
✓ |
View Services |
✓ |
✓ |
✓ |
View Volumes |
✓ |
✓ |
✓ |
View Workloads |
✓ |
✓ |
✓ |
Services
Service | Central(Prod) | Customer(Shared) | Customer(Dedicated) |
---|---|---|---|
Customer |
Customer |
Customer |
|
Gitlab |
none |
Developer |
Maintainer |
Harbor |
none |
Developer |
admin |
OpenLDAP |
none |
none |
admin |
Vault |
none |
RO |
none |
Keycloak |
none |
customer specific |
customer specific |
Monitoring |
none |
none |
RO |
Opensearch |
none |
RO (if multitenancy configured |
admin |
Backup(etcd) |
none |
none |
unclear |
Explanation of Roles
Rancher
Cluster Roles:
Cluster roles are roles that you can assign to users, granting them access to a cluster. There are two primary cluster roles: Owner and Member.
Cluster Owner: These users have full control over the cluster and all resources in it.
Cluster Member: These users can view most cluster level resources and create new projects.
Project Roles:
Project roles are roles that can be used to grant users access to a project. There are three primary project roles: Owner, Member, and Read Only.
Project Owner: These users have full control over the project and all resources in it.
Project Member: These users can manage project-scoped resources like namespaces and workloads, but cannot manage other project members.
Read Only: These users can view everything in the project but cannot create, update, or delete anything.
Service
Roles:
Developer: These users have access to dev environment.They can perform activities like modifying code and configurations.
Maintainer: Theese usess have litle bit more privileges than developer. They have access to prod environment also. They can also perform activities like modifying code, configurations, change secret,environment variables and run pipelines.
RO: These users have access limited to read only. They have only read privileges. They can just read the code and other configurations.
Admin: These users have admin access. They can perform all activities and operations.
MCS_Operations: These role is related to operation deparatment. They have similar access to admin privileges.
Project_Admin: These users are project specific. They have admin access to only specific and required project.
User management process
Basically follwoing approvals need to be applied to complet the process: Requests are received in SNOW. Technical approval: operation team Product owner approval Security approval
Architecture
In Rancher two cluster is managable, one is called Local is for the Rancher and one is the customer cluster. Operation Team, Developers, Customer Users are created in ldap with the right groups aligned with scope. Keycloak as central authentication tool is connected with ldap (ldap federation) and with group mapper ldap groups and mebers are snycronised. Login to services is working with keycloak followed by 2FA. (2 Factor Authentication) For the deployment images and helm charts are stored in Harbor, pull/push depends on group permissions.