diff --git a/content/rancher/v2.6/en/neuvector-integration/_index.md b/content/rancher/v2.6/en/neuvector-integration/_index.md index c663fbdf45..1832b663e2 100644 --- a/content/rancher/v2.6/en/neuvector-integration/_index.md +++ b/content/rancher/v2.6/en/neuvector-integration/_index.md @@ -181,8 +181,6 @@ kubectl patch cronjob neuvector-updater-pod -n cattle-neuvector-system --patch ' ### Support Limitations -* Only admins and cluster owners are currently supported. - * Fleet multi-cluster deployment is not supported. * NeuVector is not supported on a Windows cluster. diff --git a/content/rancher/v2.6/en/neuvector-integration/rbac/_index.md b/content/rancher/v2.6/en/neuvector-integration/rbac/_index.md new file mode 100644 index 0000000000..393599149b --- /dev/null +++ b/content/rancher/v2.6/en/neuvector-integration/rbac/_index.md @@ -0,0 +1,55 @@ +--- +title: Rancher and NeuVector RBAC +weight: 3 +--- + +This article is intended for users who need to provide access to the NeuVector app deployed via the Rancher app catalog with the Rancher chart. This will not work on deployments using the partner chart. + +By default, a Rancher cluster admin and a global admin will automatically be mapped to be global admins within NeuVector. In order to map other personas, some access will need to be provided to the Rancher user/group depending on the desired access within NeuVector. Please note that adding the below permissions will not provide access to any Kubernetes resources beyond what is already given by existing Rancher roles, with one exception: the NeuVector service proxy. + +The following table lists the NeuVector role and the Kubernetes RBAC from which it is derived. These RBAC mappings need to be created within Rancher RBAC. + +|NeuVector Role|API Group|Resources|Verbs|Comment| +|-----|-----|-----|-----|-----| +|Cluster admin|read-only.neuvector.api.io|*|*| ClusterRole (with ClusterRoleBinding)| +|Cluster reader|read-only.neuvector.api.io|*|GET| ClusterRole(with ClusterRoleBinding)| +|Namespace admin|read-only.neuvector.api.io|*|*| ClusterRole/Role with RoleBinding) via project| +|Namespace readonly|read-only.neuvector.api.io|*|GET| ClusterRole/Role with RoleBinding) via project| +|N/A|neuvector.com|*|GET|Necessary along with any of the above for the nav link to appear| + +### Creating the Rancher RBAC Roles for Cluster and Project Scope +>**Note:** This is applicable to users who are neither global admins nor cluster admins. + +Three items are necessary for the mapped access: + +1. Global, cluster, or project level role based on the above table. +1. GET permissions on the neuvector.com CRDs. +1. NeuVector project level services/proxy permission. This is used for UI proxy via Rancher. + +The first two items above are highly dependent on your RBAC setup but can be done with either distinct NeuVector roles or by adding the permissions from the above tables to an existing set of custom roles. These can be given to users at global, cluster, or project level. + +See [Rancher Custom Roles]({{}}rancher/v2.6/en/admin-settings/rbac/default-custom-roles/) for more information. + +### NeuVector Project Level UI Proxy + +>**Note:** This is necessary when a user does not have this permission already either via a global or cluster role. + +1. Create a project for NeuVector prior to installing from the App catalog and install to this project. If install has already been done, create the project and move the namespace there. +1. Create a project level role with services/proxy access as shown in the below examples. +1. For the user/group in question who will need to access NeuVector, assign the project UI proxy role. + +> **Warning:** Please be sure to scope this role to a NeuVector-only project. Otherwise, services/proxy access could be given to unintended workloads. + +### Examples + +#### Project Level: +![Project Admin]({{}}/img/rancher/neuvector-project-admin.png) +![Project Read-Only]({{}}/img/rancher/neuvector-project-ro.png) +![Project UI Proxy]({{}}/img/rancher/neuvector-proxy-role.png) + +#### Cluster Level: +![Cluster Admin]({{}}/img/rancher/neuvector-cluster-admin.png) +![Cluster Read-Only]({{}}/img/rancher/neuvector-cluster-ro.png) + +#### Project UI Proxy Permission: +![NeuVector Project UI]({{}}/img/rancher/neuvector-project-ro.png) diff --git a/static/img/rancher/neuvector-cluster-admin.png b/static/img/rancher/neuvector-cluster-admin.png new file mode 100644 index 0000000000..64e666d01e Binary files /dev/null and b/static/img/rancher/neuvector-cluster-admin.png differ diff --git a/static/img/rancher/neuvector-cluster-ro.png b/static/img/rancher/neuvector-cluster-ro.png new file mode 100644 index 0000000000..67e07e7a18 Binary files /dev/null and b/static/img/rancher/neuvector-cluster-ro.png differ diff --git a/static/img/rancher/neuvector-project-admin.png b/static/img/rancher/neuvector-project-admin.png new file mode 100644 index 0000000000..1a4428bd3c Binary files /dev/null and b/static/img/rancher/neuvector-project-admin.png differ diff --git a/static/img/rancher/neuvector-project-ro.png b/static/img/rancher/neuvector-project-ro.png new file mode 100644 index 0000000000..bcecc4a608 Binary files /dev/null and b/static/img/rancher/neuvector-project-ro.png differ diff --git a/static/img/rancher/neuvector-proxy-role.png b/static/img/rancher/neuvector-proxy-role.png new file mode 100644 index 0000000000..4050a9b25d Binary files /dev/null and b/static/img/rancher/neuvector-proxy-role.png differ diff --git a/static/img/rancher/neuvector-ui-permission.png b/static/img/rancher/neuvector-ui-permission.png new file mode 100644 index 0000000000..35d8e069d4 Binary files /dev/null and b/static/img/rancher/neuvector-ui-permission.png differ