public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-16 18:13:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

RBAC for CIS v2

Browse Source
This commit is contained in:
Prachi Damle
2020-09-29 18:19:35 -07:00
committed by Catherine Luse
parent 2c61b84244
commit ab38c543ce
1 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/rancher/v2.x/en/cis-scans/2.5.x/rbac/_index.md
+40
View File
@@ -0,0 +1,40 @@
---
title: RBAC
weight: 3
---
This section describes the permissions required to use the rancher-cis-benchmark App.
The rancher-cis-benchmark is a cluster-admin only feature by default.
However, the `rancher-cis-benchmark` chart installs three default `ClusterRoles`:
- cis-admin
- cis-edit
- cis-view
# Cluster-Admin Access
Rancher CIS Scans is a cluster-admin only feature by default.
This means only the rancher global admins, and the clusters cluster-owner can:
- Install/Uninstall the rancher-cis-benchmark App
- See the navigation links for CIS Benchmark CRDs - ClusterScanBenchmarks, ClusterScanProfiles, ClusterScans
- List the default ClusterScanBenchmarks and ClusterScanProfiles
- Create/Edit/Delete new ClusterScanProfiles
- Create/Edit/Delete a new ClusterScan to run the CIS scan on the cluster
- View and Download the ClusterScanReport created after the ClusterScan is complete
# Summary of Default Permissions for Kubernetes Default Roles
The rancher-cis-benchmark creates three `ClusterRoles` and adds the CIS Benchmark CRD access to the following default K8s `ClusterRoles`:
| ClusterRole created by chart | Default K8s ClusterRole | Permissions given with Role
| ------------------------------| ---------------------------| ---------------------------|
| `cis-admin` | `admin`| Ability to CRUD clusterscanbenchmarks, clusterscanprofiles, clusterscans, clusterscanreports CR
| `cis-edit`| `edit` | Ability to CRUD clusterscanbenchmarks, clusterscanprofiles, clusterscans, clusterscanreports CR
| `cis-view` | `view `| Ability to List(R) clusterscanbenchmarks, clusterscanprofiles, clusterscans, clusterscanreports CR
Rancher will continue to use cluster-owner, cluster-member, project-owner, project-member, etc as role names, but these default k8s roles will determine access to CIS feature.
By default only cluster-owner role will have ability to use `rancher-cis-benchmark` feature.
But the above ClusterRoles can be granted to cluster-member, project-owner, project-member users if a cluster-owner wants to share access.