fine grained rbac

[swopebe]

No description provided.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: swopebe

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[swopebe]

This is the release note.

[swopebe]

need to just add TP status here

[mshort55]

From the End to End testing google doc, this pre-req part is missing. This is mandatory, or else the kubevirt roles will not be present on the hub cluster. Copying directly from the google doc:

3. Install necessary policies on hub so that kubevirt roles exist on the hub cluster

• Confirm that the policy named policy-virt-clusterroles is present in the open-cluster-management-global-set namespace

oc get policy -n open-cluster-management-global-set

• Label the local-cluster with environment=virtualization

oc label managedclusters local-cluster environment=virtualization

• Change the policy policy-virt-clusterroles to enforce which will add the kubevirt clusterroles onto the hubcluster
  (change the remediationAction farthest to the bottom that has the least indentation, there are 2 and only the bottom one needs to be changed)

oc edit policy -n open-cluster-management-global-set policy-virt-clusterroles

CHANGE THIS:
remediationAction: inform
TO THIS:
remediationAction: enforce

Note: this will get changed back to inform automatically after some time. This is expected, and we only need it set to enforce for a short time period just so the clusterroles can be added to the hub cluster.

[mshort55]

Added multiple changes and considerations. Let me know if there is anything I can do to further assist!

[mshort55]

Not sure what this means: "which gives the managed cluster namespaces.". Maybe we can remove this line, unless I am missing something.

[swopebe]

I was taking content from the issue and watching multiple demos, so at some point it likely was mentioned. Not sure. I can remove it.

[mshort55]

Suggested change

	. In the _Basic information_ window, add the information for your cluster permission, such as the cluster and the user or group. Choose the cluster or virtual machine with the specific namespace that requires permission.
	. In the _Basic information_ window, add the information for your cluster permission, such as the cluster and the user or group. Choose the cluster or specific virtual machine namespaces that the user requires permission for.

[swopebe]

Will work on this line, ideally not to end with the word for, but keep the same meaning.

[swopebe]

In formal technical doc, we do not end the sentence with a preposition, so see how that works. The line previously did say something similar, though.

[mshort55]

Suggested change

	. Add the `Role Bindings` information, such as the namespaces in the cluster or virtual machine, users or groups, and roles, such as `kubevirt.io:view` for fine-grained role-based access control. You can choose a combination of `RoleBindings`.
	. Add the `Role Bindings` information, such as the namespaces in the cluster, users or groups, and roles, such as `kubevirt.io:view` for fine-grained role-based access control. You can choose a combination of `RoleBindings`.

[mshort55]

Users choose namespaces, but not virtual machines

[mshort55]

Just to answer your question, admins can export yaml and use it as a template for creating k8s resources through git ops or cli.

[mshort55]

This should be worded differently. It is not really meant to be shown as an example, but these need to be applied on the hub cluster as workarounds to bugs and limitations. These need to be applied before the user that is getting permissions assigned to them logs into the hub, or else their user experience will be poor.

See the notes I added in from the End to End Testing doc. Customer needs to change cluster names and subjects based on the users/groups they are adding for RBAC through ClusterPermission.

[swopebe]

We have tasks and concepts in the RBAC folder. We don't document known issues or workarounds within those procedures.

This content was taken from the template and the demos, but the content at the bottom in the google doc was not in the template, so I didn't see it.

This doc will look something like this formally:
https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/multicluster_engine_operator_with_red_hat_advanced_cluster_management/mce-acm-integration#discover-hosted-acm

(this is why we provide links in the doc issue template so that everyone knows how we format the doc)

Notes are specific, steps are imperative for all users, if a workaround goes into the main doc, it goes in as a step bc it is for all readers.

If this YAML is a workaround, that needs to be identified in a separate issue perhaps for troubleshooting. This issue is for the initial documentation procedure.

Limitations, known issues, etc...those are release notes. T-shooting is also an option. We go in to this here in the process doc:
https://docs.google.com/document/d/1YTqpZRH54Bnn4WJ2nZmjaCoiRtqmrc2w6DdQxe_yLZ8/edit?tab=t.0#heading=h.9fvyr2rdriby

[mshort55]

Sorry for the confusion. I called this "workaround" because to me that is what it is. However in reality, it is a setup requirement. The yaml I provided needs to be applied for the feature to work correctly.

[bjoydeep]

Suggestion - rephrasing the last sentence to something like -

Grant permission to virtual machines based on namespaces they belong in a managed cluster. Cannot grant permissions to individual virtual machines, but can grant permissions to all virtual machines in cluster (yes... we can still do this...)

[Ginxo]

Please check my comments, I'm concern about https://issues.redhat.com/browse/ACM-21610 since we expect the ticket's PR to be merged by the end of the day 🤞 and to be included on 2.14.0

[swopebe]

From the End to End testing google doc, this pre-req part is missing. This is mandatory, or else the kubevirt roles will not be present on the hub cluster. Copying directly from the google doc:

3. Install necessary policies on hub so that kubevirt roles exist on the hub cluster

• Confirm that the policy named policy-virt-clusterroles is present in the open-cluster-management-global-set namespace

oc get policy -n open-cluster-management-global-set

• Label the local-cluster with environment=virtualization

oc label managedclusters local-cluster environment=virtualization

• Change the policy policy-virt-clusterroles to enforce which will add the kubevirt clusterroles onto the hubcluster
  (change the remediationAction farthest to the bottom that has the least indentation, there are 2 and only the bottom one needs to be changed)

oc edit policy -n open-cluster-management-global-set policy-virt-clusterroles

CHANGE THIS: remediationAction: inform TO THIS: remediationAction: enforce

Note: this will get changed back to inform automatically after some time. This is expected, and we only need it set to enforce for a short time period just so the clusterroles can be added to the hub cluster.

The end-to-end testing doc is a bit hard for me to follow--We didn't get this info in our template, though. That is where I pulled prereqs and much of the content, from the information in the template.

From the testing doc, if there is something that needs to be documented, it's likely not in this first draft and needs to be added to the PR.

See that there are different prereqs in the issue template:

https://issues.redhat.com/browse/ACM-19799--new

We cannot have a mile long list of prereqs--at that point we may want to consider reorganizing.

[mshort55]

Here are the final steps to enable this feature. These have been revised a lot from what we have currently, so please use these as the new default steps. Lot's of previous steps have been removed because they are no longer needed. I will put CLI steps first and UI steps second, and then we can review them in our next meeting.

CLI:
(all commands to be done on the hub cluster)

1. Enable fine-grained-rbac-preview in MultiClusterHub

oc edit mch -n open-cluster-management multiclusterhub

CHANGE THIS:
    - configOverrides: {}
      enabled: false
      name: fine-grained-rbac-preview
TO THIS:
    - configOverrides: {}
      enabled: true
      name: fine-grained-rbac-preview

2. Label local-cluster with environment=virtualization

oc label managedclusters local-cluster environment=virtualization

3. Change the policy policy-virt-clusterroles to enforce which will add the kubevirt clusterroles onto the hub cluster

oc edit policy -n open-cluster-management-global-set policy-virt-clusterroles

CHANGE THIS:
  remediationAction: inform
TO THIS:
  remediationAction: enforce

(change the remediationAction farthest to the bottom that has the least indentation, there are 2 and only the bottom one needs to be changed)

4. Create this yaml file named acm-vm-rbac-required.yml to be used with the next cli command

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: acm-vm-rbac-required # customer can use any name
rules:
  - apiGroups: ["clusterview.open-cluster-management.io"]
    resources: ["kubevirtprojects"]
    verbs: ["list"]
  - apiGroups: ["clusterview.open-cluster-management.io"]
    resources: ["managedclusters"]
    verbs: ["list","get","watch"]
  - apiGroups: ["cluster.open-cluster-management.io"]
    resources: ["managedclusters"]
    verbs: ["get"]
    resourceNames: ["cluster01", "cluster02", "cluster03"] # customer needs to add the managed clusters they want their users and groups to access
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: acm-vm-rbac-required # customer can use any name
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: acm-vm-rbac-required # this name has to match the above ClusterRole name
subjects:
  - kind: User # customer can choose User or Group
    apiGroup: rbac.authorization.k8s.io
    name: user1 # customer needs to specify user or group name

5. Apply above yaml

oc apply -f acm-vm-rbac-required.yml

OPTIONAL:

To enable Grafana for a specific user and cluster (and if observability is enabled)

1. Create the file observability-grafana-access.yml:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: observability-grafana-access # customer can give this any name
  namespace: cluster01 # customer needs to specify a specific managed cluster name
subjects:
  - kind: User # customer can choose User or Group
    apiGroup: rbac.authorization.k8s.io
    name: user1 # customer needs to specify user or group name
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view

2. Apply yaml

oc apply -f observability-grafana-access.yml

---

---

---

---

UI:

1. Enable fine-grained-rbac-preview in MultiClusterHub

local-cluster - Operators - Installed Operators - Advanced Cluster Management for Kubernetes - MultiClusterHub tab - Edit MultiClusterHub - YAML tab

CHANGE THIS:
    - configOverrides: {}
      enabled: false
      name: fine-grained-rbac-preview
TO THIS:
    - configOverrides: {}
      enabled: true
      name: fine-grained-rbac-preview

Click Save

2. Label local-cluster with environment=virtualization

All Clusters - Infrastructure - Clusters - local-cluster - Actions - Edit labels

Enter: environment=virtualization

Click Save

3. Change the policy policy-virt-clusterroles to enforce which will add the kubevirt clusterroles onto the hub cluster

Governance - Policies tab - policy-virt-clusterroles - Actions - Edit - Enable YAML editor

CHANGE THIS:
  remediationAction: inform
TO THIS:
  remediationAction: enforce

Click Save

(change the remediationAction farthest to the bottom that has the least indentation, there are 2 and only the bottom one needs to be changed)

4. Create ClusterRole

local-cluster - User Management - Roles - Create Role

Copy and paste in the below YAML into the YAML editor:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: acm-vm-rbac-required # customer can use any name
rules:
  - apiGroups: ["clusterview.open-cluster-management.io"]
    resources: ["kubevirtprojects"]
    verbs: ["list"]
  - apiGroups: ["clusterview.open-cluster-management.io"]
    resources: ["managedclusters"]
    verbs: ["list","get","watch"]
  - apiGroups: ["cluster.open-cluster-management.io"]
    resources: ["managedclusters"]
    verbs: ["get"]
    resourceNames: ["cluster01", "cluster02", "cluster03"] # customer needs to add the managed clusters they want their users and groups to access

Click Create

5. Create ClusterRoleBinding

local-cluster - User Management - RoleBindings - Create binding

Binding type: Cluster-wide role binding
RoleBinding Name: acm-vm-rbac-required (can be any name)
Role name: acm-vm-rbac-required (HAS to match the name of previously created ClusterRole)
Subject: select User or Group and enter in User or Group name
Click Create

OPTIONAL:

To enable Grafana for a specific user and cluster (and if observability is enabled)

1. Create RoleBinding:

local-cluster - User Management - RoleBindings - Create binding

Binding type: Namespace role binding (RoleBinding)
RoleBinding Name: observability-grafana-access (can be any name)
RoleBinding Namespace: (customer must choose managed cluster name from drop down menu)
Role name: view
Subject: (customer must select User or Group and enter in User or Group name)
Click Create

[mshort55]

Here are CLI instructions for adding access control:
(run commands from hub cluster)

1. Create a yaml file named cluster01-prod-admin.yml with desired RBAC permissions. Here is an example:

apiVersion: rbac.open-cluster-management.io/v1alpha1
kind: ClusterPermission
metadata:
  name: cluster01-prod-admin # customer can use any name
  namespace: cluster01 # customer must specify a specific managed cluster name
spec:
  roleBindings:
    - name: cluster01-prod-admin # customer can use any name
      namespace: prod # customer must specify the namespace in the managed cluster that they are granting access too
      roleRef:
        name: kubevirt.io:admin
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
      subjects:
        - kind: User # customer can choose User or Group
          apiGroup: rbac.authorization.k8s.io
          name: user1 # customer needs to specify user or group name

2. Apply yaml:

oc apply -f cluster01-prod-admin.yml

[mshort55]

Add ClusterPermission explanation to this

[swopebe]

Please check my comments, I'm concern about https://issues.redhat.com/browse/ACM-21610 since we expect the ticket's PR to be merged by the end of the day 🤞 and to be included on 2.14.0

Yes, but I could not move forward with the conflicts in the information I had and still create proper documentation, so we needed clarity and a clearer draft. This content needs to look like the rest of the ACM content. After a couple of meetings, we have the steps ironed out.

In the doc process, you can close your issues, since the doc merge is always after the code merges due to workload. This is why the doc team needs their own issues for the release work. You are free to close your issue knowing that we are working the feature doc.

[swopebe]

Why does the user do this?

[swopebe]

It may actually be better to break this out a bit to show them in the YAML--I didn't see an example of how we say this in the doc and we don't want to use directional language.

[swopebe]

We originally had ClusterRole and ClusterRoleBinding in two different steps, before the meetings and such. We also have this separated in the console process, but all together in this process.

[swopebe]

The CLI procedure is ready for tech review, see comments.^^^