User Guide
Access Control with Orgs and Roles
Overview
This document summarizes the access control enforced by orgs and roles.
Terminologies
- Org is a unit that a user creates in CloudNatix to represent a team, business unit, or environment. Orgs form a tree structure.
- Org
O1is a root org ifO1is a root in the org tree structure. - Org
O1is a sub org ofO2ifO1is a descendant ofO2in the org tree structure. - Resource represents individual compute instances (e.g., EC2 instance, Azure VM). Each resource belongs to one of the orgs in a tenant.
- Org
O1is a cluster owner of clusterC1if all compute instances inC1belong toO1or its sub org. - Role represents the permission. The available roles are
viewer(= read only),user(= read and write), andadmin(= read, write, and admin privilege). - Role binding is an attribute associated with a user. It consists of a role and an org where the role is associated. A user has
R1role ofO1org if the user is associated with role binding with roleR1and orgO1. A single user can be associated with more than one role binding. - Root admin is a user who has the
adminrole for the root org. - Federated Namespace is a Kubernetes namespace managed by CloudNatix. It is associated with one of the orgs in a tenant.
Dashboard
A user who has a viewer/user/admin role of org O1 is able to view all resources (i.e., compute instances) that belong to O1 and its sub orgs.
Workloads
Kubernetes Workloads
A user who has the viewer/user/admin role of org O1 is able to view all workloads in the clusters that are owned by O1 or its sub orgs.
A user who has the viewer/user/admin role of org O1 is also able to view all workloads in the namespaces that belong to O1 or its sub orgs.
A user who has the patch role of org O1 is also able to restart all deployment, statefulset, and daemonset workloads in the namespaces that belong to O1 or its sub orgs.
Compute Instances
A user who has the viewer/user/admin role of org O1 is able to view all resources (i.e., compute instances) that belong to O1 or its sub orgs.
A user who has the user/admin role of org O1 is able to create start/stop schedules of compute instances that belong to O1 or its sub orgs.
Insights
Cluster Rightsizing Recommendations
A user who has the viewer/user/admin role of org O1 is able to view the recommendations of clusters that are owned by O1, its sub orgs, and its ancestor orgs.
Compute Instance Rightsizing Recommendations
A user who has the viewer/user/admin role of org O1 is able to view the recommendations of resources (i.e., compute instances) that belong to O1 or its sub orgs.
Org and Namespace Management
A user who has the viewer/user/admin role of org O1 can see:
- its sub orgs,
- resources that belong to
O1or its sub orgs, and - namespaces that are associated with
O1or its sub orgs.
A user who has the admin role of org O1 can create/update/delete an org if the org is a sub org of O1.
Only the root admin can create/update/delete namespaces and conversion rules.
Cluster Management
Only the root admin can create and delete a cluster.
A user who has the viewer/user/admin role of org O1 can view a cluster if one of the following conditions is met:
O1is the cluster owner orgO1is an ancestor of the cluster owner org.O1is a descendant of the cluster owner org, andO1or its descendant owns at least one namespace.
User Management
A user who has the viewer/user/admin role of the root org can see users.
Only the root admin can create/delete/edit users.
Kubernetes Cluster Access
A user who has viewer/user/admin/patch role of org O1 has the following ClusterRole respectively in the clusters owned by O1 or its sub orgs.
| CloudNatix role | K8s Cluster Role |
|---|---|
viewer | view |
user | edit |
admin | cluster-admin |
patch | cloudnatix-patch |
cloudnatix-patch is a customized ClusterRole defined by Cloudnatix and used to restart Deployments, StatefulSets, DaemonSets, and ArgoCD Rollouts. (The actual "verb" used in the ClusterRole is patch).
See this page for the definitions of the default ClusterRoles in Kubernetes.