|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * virt/managing_vms/virt-controlling-vm-states.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: PROCEDURE |
| 6 | +[id="virt-configure-rbac-console-subresources-api_{context}"] |
| 7 | += Configuring RBAC permissions for managing VM states by using the web console |
| 8 | + |
| 9 | +[role="_abstract"] |
| 10 | +To allow users to manage virtual machine (VM) states by using the {product-title} web console, you must create an RBAC cluster role and cluster role binding. |
| 11 | +The cluster role uses the `subresources.kubevirt.io` API to define which resources can be controlled by certain users or groups. |
| 12 | + |
| 13 | +.Prerequisites |
| 14 | + |
| 15 | +* You have cluster administrator access to an {product-title} cluster where {VirtProductName} is installed. |
| 16 | +* You have installed the {oc-first}. |
| 17 | +
|
| 18 | +.Procedure |
| 19 | + |
| 20 | +. Create a `ClusterRole` object that allows the target user or group to manage VM states: |
| 21 | ++ |
| 22 | +[source,yaml] |
| 23 | +---- |
| 24 | +apiVersion: rbac.authorization.k8s.io/v1 |
| 25 | +kind: ClusterRole |
| 26 | +metadata: |
| 27 | + name: vm-manager-access |
| 28 | +rules: |
| 29 | + - apiGroups: |
| 30 | + - subresources.kubevirt.io |
| 31 | + resources: |
| 32 | + - virtualmachines/start |
| 33 | + - virtualmachines/stop |
| 34 | + verbs: |
| 35 | + - put |
| 36 | +# ... |
| 37 | +---- |
| 38 | + |
| 39 | +. Run the following command to apply the cluster role: |
| 40 | ++ |
| 41 | +[source,terminal] |
| 42 | +---- |
| 43 | +$ oc apply -f <filename>.yaml |
| 44 | +---- |
| 45 | + |
| 46 | +. Confirm that the cluster role was created by running the following command and observing the output: |
| 47 | ++ |
| 48 | +[source,terminal] |
| 49 | +---- |
| 50 | +$ oc get clusterrole <name> |
| 51 | +---- |
| 52 | ++ |
| 53 | +Example output: |
| 54 | ++ |
| 55 | +[source,terminal] |
| 56 | +---- |
| 57 | +NAME AGE |
| 58 | +vm-manager-access 15s |
| 59 | +---- |
| 60 | + |
| 61 | +. Inspect the details of the cluster role, and ensure the intended rules for `subresources.kubevirt.io` are present, specifically the `virtualmachines/start` and `virtualmachines/stop` subresources. |
| 62 | ++ |
| 63 | +Run the following command and observe the output: |
| 64 | ++ |
| 65 | +[source,terminal] |
| 66 | +---- |
| 67 | +$ oc describe clusterrole <name> |
| 68 | +---- |
| 69 | ++ |
| 70 | +Example output: |
| 71 | ++ |
| 72 | +[source,terminal] |
| 73 | +---- |
| 74 | +Name: vm-manager-access |
| 75 | +Labels: <none> |
| 76 | +Annotations: <none> |
| 77 | +PolicyRule: |
| 78 | + Resources Non-Resource URLs Resource Names Verbs |
| 79 | + --------- ----------------- -------------- ----- |
| 80 | + virtualmachines/start, virtualmachines/stop with subresources.kubevirt.io group [] [] [put] |
| 81 | +---- |
| 82 | +
|
| 83 | +. Create a `ClusterRoleBinding` object to bind the cluster role you have created to the target user or group: |
| 84 | ++ |
| 85 | +[source,yaml,subs="attributes+"] |
| 86 | +---- |
| 87 | +apiVersion: rbac.authorization.k8s.io/v1 |
| 88 | +kind: ClusterRoleBinding |
| 89 | +metadata: |
| 90 | + name: vm-manager-access-binding |
| 91 | +subjects: |
| 92 | + - kind: User |
| 93 | + name: test-user |
| 94 | + apiGroup: rbac.authorization.k8s.io |
| 95 | +roleRef: |
| 96 | + kind: ClusterRole |
| 97 | + name: vm-manager-access |
| 98 | + apiGroup: rbac.authorization.k8s.io |
| 99 | +---- |
| 100 | +
|
| 101 | +. Run the following command to apply the cluster role binding: |
| 102 | ++ |
| 103 | +[source,terminal] |
| 104 | +---- |
| 105 | +$ oc apply -f <filename>.yaml |
| 106 | +---- |
| 107 | +
|
| 108 | +. Confirm that the cluster role binding was created by running the following command and observing the output: |
| 109 | ++ |
| 110 | +[source,terminal] |
| 111 | +---- |
| 112 | +$ oc get clusterrolebinding <name> |
| 113 | +---- |
| 114 | ++ |
| 115 | +Example output: |
| 116 | ++ |
| 117 | +[source,terminal] |
| 118 | +---- |
| 119 | +NAME AGE |
| 120 | +vm-manager-access-binding 15s |
| 121 | +---- |
| 122 | +
|
| 123 | +.Verification |
| 124 | +
|
| 125 | +. Check if the user can start a VM by running the following command: |
| 126 | ++ |
| 127 | +[source,terminal] |
| 128 | +---- |
| 129 | +$ oc auth can-i update virtualmachines/start --namespace=<namespace> --as=<user_name> --subresource=subresources.kubevirt.io |
| 130 | +---- |
| 131 | ++ |
| 132 | +Example output: |
| 133 | ++ |
| 134 | +[source,terminal] |
| 135 | +---- |
| 136 | +yes |
| 137 | +---- |
| 138 | +
|
| 139 | +. Check if the user can stop a VM by running the following command: |
| 140 | ++ |
| 141 | +[source,terminal] |
| 142 | +---- |
| 143 | +$ oc auth can-i update virtualmachines/stop --namespace=<namespace> --as=<user_name> --group=subresources.kubevirt.io |
| 144 | +---- |
| 145 | ++ |
| 146 | +Example output: |
| 147 | ++ |
| 148 | +[source,terminal] |
| 149 | +---- |
| 150 | +yes |
| 151 | +---- |
0 commit comments