Skip to content
Open
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions content/rancher/v2.6/en/neuvector-integration/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -181,8 +181,6 @@ kubectl patch cronjob neuvector-updater-pod -n cattle-neuvector-system --patch '

### Support Limitations

* Only admins and cluster owners are currently supported.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even with below solution I think this part is accurate. We don't support 1:1 mapping of project-members, project-owners, or cluster-members.


* Fleet multi-cluster deployment is not supported.

* NeuVector is not supported on a Windows cluster.
Expand Down
54 changes: 54 additions & 0 deletions content/rancher/v2.6/en/neuvector-integration/rbac/_index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
---
title: Rancher + NeuVector RBAC
Comment thread
horantj marked this conversation as resolved.
Outdated
weight: 3
---

This article is intended for users who need to provide access to the NeuVector app deployed via the Rancher App catalog with the Rancher chart. This will not work on deployments using the Partner chart.
Comment thread
horantj marked this conversation as resolved.
Outdated

By default, a Rancher cluster admin, and global admin will be automatically mapped to be global admins within NeuVector. In order to map other personas, some access will need to be provided to the Rancher user/group depending on the desired access within NeuVector. Please note that adding the below permissions will not provide access to any kubernetes resources beyond what is already given by existing Rancher roles. With one exception being the neuvector service proxy.
Comment thread
horantj marked this conversation as resolved.
Outdated

The following table lists the NeuVector role and the k8s RBAC from which it is derived. These rbac mappings need to be created within Rancher RBAC.
Comment thread
horantj marked this conversation as resolved.
Outdated

|NeuVector role|apiGroup |resources|verbs|comment|
Comment thread
horantj marked this conversation as resolved.
Outdated
|-----|-----|-----|-----|-----|
cluster admin|read-only.neuvector.api.io|*|*| clusterrole(with clusterrolebinding)|
Comment thread
horantj marked this conversation as resolved.
Outdated
cluster reader|read-only.neuvector.api.io|*|get| clusterrole(with clusterrolebinding)|
Comment thread
horantj marked this conversation as resolved.
Outdated
namespace admin|read-only.neuvector.api.io|*|*| clusterrole/role with rolebinding) via project|
Comment thread
horantj marked this conversation as resolved.
Outdated
namespace readonly|read-only.neuvector.api.io|*|get| clusterrole/role with rolebinding) via project|
Comment thread
horantj marked this conversation as resolved.
Outdated
n/a|neuvector.com|*|get|necessary along with any of the above for nav link to appear|
Comment thread
horantj marked this conversation as resolved.
Outdated

### Creating the rancher RBAC roles for cluster and project scope
Comment thread
horantj marked this conversation as resolved.
Outdated
_for users that are not global admins or cluster admins_
Comment thread
horantj marked this conversation as resolved.
Outdated

Three items are necessary for the mapped access:

1. Global, Cluster, or project level role based on the above table
Comment thread
horantj marked this conversation as resolved.
Outdated
1. GET permissions on the neuvector.com CRDs
Comment thread
horantj marked this conversation as resolved.
Outdated
2. NeuVector Project level services/proxy permission. This is used for UI proxy via rancher.
Comment thread
horantj marked this conversation as resolved.
Outdated

The first two items are highly dependent on your RBAC setup, but can be done with distinct NeuVector roles, or adding the permissions from the above tables to an existing set of custom roles. These can be given to users at Global, cluster, or project level.
Comment thread
horantj marked this conversation as resolved.
Outdated

See [Rancher Custom Roles]({{<baseurl>}}rancher/v2.6/en/admin-settings/rbac/default-custom-roles/) for more information.

### NeuVector Project Level UI Proxy
Comment thread
horantj marked this conversation as resolved.
_Necessary when a user does not have this permission already either via a global or cluster role_
Comment thread
horantj marked this conversation as resolved.
Outdated

1. Create a project for NeuVector prior to installing from the App catalog, and install to this project. If install has already been done, create the project and move the namespace there.
Comment thread
horantj marked this conversation as resolved.
Outdated
1. Create a project level role with services/proxy access as shown in the below examples.
1. For the user/group in question that will need to access NeuVector, assign the project UI Proxy role.
Comment thread
horantj marked this conversation as resolved.
Outdated

> **Warning**
Comment thread
horantj marked this conversation as resolved.
Outdated
> Please be sure to scope this role to a NeuVector only project, otherwise services/proxy access could be given to unintended workloads.
Comment thread
horantj marked this conversation as resolved.
Outdated

### Examples

#### Project level:
Comment thread
horantj marked this conversation as resolved.
Outdated
![Project Admin]({{<baseurl>}}/img/rancher/neuvector-project-admin.png)
![Project Read-Only]({{<baseurl>}}/img/rancher/neuvector-project-ro.png)
![Project UI Proxy]({{<baseurl>}}/img/rancher/neuvector-proxy-role.png)
Comment thread
horantj marked this conversation as resolved.
#### Cluster level:
Comment thread
horantj marked this conversation as resolved.
Outdated
![Cluster Admin]({{<baseurl>}}/img/rancher/neuvector-cluster-admin.png)
![Cluster Read-Only]({{<baseurl>}}/img/rancher/neuvector-cluster-ro.png)

#### Project UI proxy permission:
Comment thread
horantj marked this conversation as resolved.
Outdated
![NeuVector Project UI]({{<baseurl>}}/img/rancher/neuvector-project-ro.png)
Binary file added static/img/rancher/neuvector-cluster-admin.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added static/img/rancher/neuvector-cluster-ro.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added static/img/rancher/neuvector-project-admin.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added static/img/rancher/neuvector-project-ro.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added static/img/rancher/neuvector-proxy-role.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added static/img/rancher/neuvector-ui-permission.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.