Skip to main content
Version: 5.4

Integration with Rancher RBAC

Integration​

Starting with NeuVector 5.4, full compatibility and integration of NeuVector with Rancher RBAC has been included. This offers users the possibility of customizing specific permissions based on the profile of the user or group that should access NeuVector.

In the Rancher console, Users & Authentication -> Role Templates page, customers can create Global, Cluster, Project, and Namespace roles with specific Neuvector Verbs, Resources, and API Groups. When such a Rancher role is assigned to a Rancher user, the user's NeuVector SSO session is assigned different NeuVector permissions accordingly. This is to provide SSO users with custom roles (i.e., roles other than the reserved admin/reader/fedAdmin/fedReader roles).

Supported Custom NeuVector Role Mapping in Rancher SSO​

Below are supported role mappings for NeuVector Verbs, Resources, and API Groups used on the Rancher UI -> Users & Authentication -> Role Template -> Create Global, Cluster or Project Role Template:

  • APIGroup: permission.neuvector.com

  • Verbs: get -> read-only(i.e. view)

  • Verbs: * -> read/write(i.e. modify)

  • Resources - Cluster Scoped: AdmissionControl, Authentication, CI Scan, Cluster, Federation and Vulnerability

  • Resources - Namespaced: AuditEvents, Authorization, Compliance, Events, Namespace, RegistryScan, RuntimePolicy, RuntimeScan, SecurityEvents and SystemConfig

Resource Display and Logical Name Mapping Table​

Below is a table illustrating the logical name of the resources for better understanding:

Resource DisplayLogical Name
"All Permissions"nv-perm.all-permissions
"Admission Control"nv-perm.admctrl
"Audit Events"nv-perm.audit-events
"Authentication"nv-perm.authentication
"Authorization"nv-perm.authorization
"CI Scan"nv-perm.ci-scan
"Compliance"nv-perm.compliance
"Events"nv-perm.events
"Federation"nv-perm.fed
"Registry Scan"nv-perm.reg-scan
"Runtime Policy"nv-perm.rt-policy
"Runtime Scan"nv-perm.rt-scan
"Security Events"nv-perm.security-events
"System Config"nv-perm.config
"Vulnerability Profile"nv-perm.vulnerability
note

It is important to note that this integration supports roles in Global, Cluster, Project, and Namespace levels. The user must customize and create the rules based on their needs and scope permissions for the SSO.

Definitions and Expectations with Global, Cluster, and Project/Namespace Roles​

  • Cluster resource with * verb on Rancher Global Role

    • Mapped to NeuVector fedAdmin role on NeuVector fed-master cluster (This means users cannot map a Rancher Global role to a NeuVector admin role if NeuVector is on a master cluster)
    • Mapped to NeuVector admin role on NeuVector fed-managed cluster
  • Cluster resource with * verb on Rancher Cluster Roles

    • Always mapped to NeuVector cluster-admin role
  • Namespace resource with * verb on Rancher Project Roles

    • Always mapped to NeuVector namespace-admin role

Use Cases & Examples​

Use Case 1​

  • Global role to run runtime scans from NeuVector SSO session on all clusters are managed by Rancher Manager except the local cluster. Users need to create cluster roles to propagate the global role to all downstream clusters.
    • Create a cluster role template with the following parameters:

             Verb: *
      Resource: RuntimeScan (choose runtimescan from drop down)
      API: permission.neuvector.com (auot populated)
    • Create a project/namespace role to allow access to the UI and for SSO to work. Please remember that you must add this user role to your project for it to work as expected:

             Verb: get, patch,create 
      Resource: services/proxy
      API: neuvector.com
    • Create a global cluster role with the following parameter to inherit the role to all downstream clusters:

           apiVersion: management.cattle.io/v3
    kind: GlobalRole
    displayName: All Downstream NV RT scan
    metadata:
    name: all-downstream-nvrtscan
    inheritedClusterRoles:
    - rt-gpmbs (above created cluster role id)
    • Create a standard user and select the global role created for this use case. The default form is always a Base or Standard user, unless you want to provide Admin permissions for the user created.
    • Create a project role binding on all downstream clusters for the above user and project containing cattle-neuvector-system namespace.
    • Login into Rancher Manager using the user created previously and launch NeuVector after clicking any downstream cluster. The user should be able to carry out any task related to real-time scans such as container scan, node scan, and browsing vulnerabilities page. This applies to the newly joined clusters, too.

Use Case 2​

  • Create a FedAdmin user. Always remember to login in as a FedAdmin to a master cluster. If you are not on a federated domain, the roles will be downgraded to Reader or Admin.
    • Create a global role with the following parameters. By using a global role it is also accessible by the other downstream clusters:
             Verb: *
      Resource: All permissions
      API: nv-perm.all-permissions
    • Create a project/namespace role to allow access to the UI and for SSO to work. Please remember that you must add this user role to your project for it to work as expected:
             Verb: get, patch,create 
      Resource: services/proxy
      API: neuvector.com
    • Create a Standard user and select the global role created for this use case. The default form is always a Base or Standard user.
    • After that, go to Rancher UI -> Master Cluster -> Cluster and Project Members -> Project Membership -> Add. Here you must add the user you created and set the UI Proxy project role so that NeuVector is granted access.
    • Login into Rancher Manager using the user created previously and launch NeuVector after clicking any downstream cluster. When this is done, NeuVector reads the rancher's global role and assigns the match permissions, in this case FedAdmin.
note

To switch between FedAdmin and FedReader, just change the verbs from * to get. get is just the read permission, i.e., FedReader in this use case.

Use Case 3​

A user can do a few read-only tasks and modify a few tasks on a cluster.

Use Case 4​

A user can do a few read-only tasks on a few domains and do a few modified tasks on a few domains on a cluster.

Use Case 5​

A user obtains permission to do certain tasks on a cluster by combining permission from global, cluster, and project roles.

Additional considerations​

  • Users can use this documentation and parameters as a basis for creating the SSO/RBAC rules of their choice. The support team can be contacted to help with errors and specific use cases via the SCC.
  • NeuVector 5.4 should be backward compatible with pre-5.4 SSO role mapping. Please see this documentation to understand the previous structure.