NeuVector 从 v5.4 版本起,通过 Rancher 登录到 NeuVector 的用户无法在 NeuVector 被设置为 Fed 角色,需要在 Rancher 中设置对应的角色,从而映射到 NeuVector 中。
对于 NV 在 Primary 集群中的 SSO 映射:
Global Role:
get/nv-perm.all-permissions → fedReader*/nv-perm.all-permissions → fedAdmin
Cluster Role:
get/nv-perm.all-permissions → reader*/nv-perm.all-permissions → adminget/nv-perm.all-permissions,nv-perm.fed → fedReader*/nv-perm.all-permissions,nv-perm.fed → fedAdmin
Project Role:没有项目角色会映射到 fedReader/fedAdmin 角色。
如果不是 Primary NV 集群,映射的 fedReader 角色会自动降级为 reader 角色,fedAdmin 角色会自动降级为 admin 角色。
Global Role
如果 NV 部署在下游集群,由于 Global Role 不会自动同步到下游集群中,所以先要创建一个 Cluster Role,然后再通过 inheritedClusterRoles 字段引用。
Fed Admin
创建 Cluster Role:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| administrative: false
apiVersion: management.cattle.io/v3
builtin: false
clusterCreatorDefault: false
context: cluster
displayName: NeuVector Fed Administrator Cluster Role
external: false
hidden: false
kind: RoleTemplate
locked: false
metadata:
name: cluster-role-neuvector-fed-admin
projectCreatorDefault: false
roleTemplateNames: []
rules:
- apiGroups:
- api.neuvector.com
resources:
- nv-perm.all-permissions
verbs:
- '*'
- apiGroups:
- api.neuvector.com
resources:
- nv-perm.fed
verbs:
- '*'
|
基于 Cluster Role 创建 Global Role:
1
2
3
4
5
6
7
8
9
10
| apiVersion: management.cattle.io/v3
description: NeuVector Fed Administrator Global Role
displayName: NeuVector Fed Administrator Global Role
kind: GlobalRole
metadata:
name: global-role-neuvector-fed-admin
inheritedClusterRoles:
- cluster-role-neuvector-fed-admin
newUserDefault: false
rules: []
|
然后给用户授予 Global Role 权限:
在 NV 中可以看到角色为 fedAdmin:
Fed Reader
创建 Cluster Role:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| administrative: false
apiVersion: management.cattle.io/v3
builtin: false
clusterCreatorDefault: false
context: cluster
displayName: NeuVector Fed Reader Cluster Role
external: false
hidden: false
kind: RoleTemplate
locked: false
metadata:
name: cluster-role-neuvector-fed-reader
projectCreatorDefault: false
roleTemplateNames: []
rules:
- apiGroups:
- api.neuvector.com
resources:
- nv-perm.all-permissions
- nv-perm.fed
verbs:
- get
|
基于 Cluster Role 创建 Global Role:
1
2
3
4
5
6
7
8
9
10
| apiVersion: management.cattle.io/v3
description: NeuVector Fed Reader Global Role
displayName: NeuVector Fed Reader Global Role
kind: GlobalRole
metadata:
name: global-role-neuvector-fed-reader
inheritedClusterRoles:
- cluster-role-neuvector-fed-reader
newUserDefault: false
rules: []
|
授权后在 NV 中可以看到角色为 fedReader:
Cluster Role
如果不通过 Global Role 给用户进行授权,可以直接在下游集群使用刚刚创建的 Cluster Role 进行授权:
Project Role
由于 Project Role 没有项目角色会映射到 fedReader/fedAdmin 角色,所以只能赋予 Project Admin 或 Reader 角色。
Project Admin
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| administrative: false
apiVersion: management.cattle.io/v3
builtin: false
clusterCreatorDefault: false
context: project
description: Neuvector Project Admin
displayName: Neuvector Project Admin
external: false
hidden: false
kind: RoleTemplate
locked: false
metadata:
name: project-role-neuvector-project-admin
projectCreatorDefault: false
roleTemplateNames: []
rules:
- apiGroups:
- read-only.neuvector.api.io
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- neuvector.com
resources:
- '*'
verbs:
- get
|
赋予用户权限:
随后访问 NV,可以管理所属 Project 下的 NV 资源:
Project Reader
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| administrative: false
apiVersion: management.cattle.io/v3
builtin: false
clusterCreatorDefault: false
context: project
description: Neuvector Project Reader
displayName: Neuvector Project Reader
external: false
hidden: false
kind: RoleTemplate
locked: false
metadata:
name: project-role-neuvector-project-reader
projectCreatorDefault: false
roleTemplateNames: []
rules:
- apiGroups:
- read-only.neuvector.api.io
resources:
- '*'
verbs:
- get
- apiGroups:
- neuvector.com
resources:
- '*'
verbs:
- get
|
赋予权限后,可以看到只有只读权限:
