In this blog, I will be talking about different roles available in Tanzu Mission Control (TMC) and how you can ensure that you have proper RBAC applied for a cluster either attached or created using TMC.
At a high level, Following roles are available in TMC. Table also describes what role can be applied at which level. e.g. .admin role can be applied at a organisation, cluster group, cluster, workspace and namespace level.
Now, I will talk about above roles in detail for different objects.
Role Based Access Control (RBAC) in Tanzu Mission Control (TMC) Simplified
| Role Name | Activity Can be Performed |
|---|---|
| organization.edit | create a cluster group |
| Delete a cluster group | |
| Create a Workspace | |
| Delete a Workspace | |
| organization.admin | Deregister a TKG Cluster from TMC |
| Enable Observability for your orgnization | |
| Disable Observability for your orgnization | |
| Enable Service Mesh for your orgnization | |
| Disable Service Mesh for your orgnization | |
| Create target location for data protection | |
| Delete target location for data protection | |
| Generate an audit report | |
| Download an audit report | |
| Delete an audit report | |
| Cancel an audit report | |
| View the complete set of individual permission primitives that are available to be included in custom roles | |
| Create a custome role | |
| Edit a custom role | |
| Delete a custom role | |
| organization.credential.view | see and use a cloud provider account connection for creating a cluster |
| Use a proxy configuration | |
| organization.credential.admin | Create a cloud provider account connection |
| Create a data protection credential | |
| Create a Tanzu Observability credential | |
| Remove a cloud provider account connection | |
| Remove a data protection credential | |
| Remove a Tanzu Observability credential | |
| Create a proxy configuration | |
| Remove a proxy configuration | |
| View, edit and delete access policy for a credential | |
| clustergroup.edit | Provision a cluster |
| Attach a cluster | |
| Re-attach a cluster | |
| Detach a cluster | |
| View the cluster in a cluster group | |
| clustergroup.admin | Move a cluster between cluster group |
| managementcluster.admin | Register TKG Management cluster |
| Remove workload cluster from TKG Management cluster | |
| Bring workload cluster under TKG Management cluster | |
| cluster.admin | Detach a cluster |
| Attach a namespace | |
| Modify rolebinding in the cluster | |
| Upgrade a cluster | |
| Delete a provisioned cluster | |
| Add a cluster to Tanzu Observability | |
| Edit a TO API token | |
| Remove cluster from Tanzu Observability | |
| Enable data protection | |
| Disable data protection | |
| Perform a cluster backup | |
| View the content of the backup | |
| Restore a backup | |
| cluster.edit | Define a node pool |
| Edit a node pool | |
| Delete a node pool | |
| Create a managed namespace | |
| Run a cluster inspection | |
| View the inspection for a cluster | |
| Stop a running cluster inspection | |
| organization.policytemplate.edit | Create a policy template |
| Delete a policy template |
Following table describes what can be done if you are associated with .admin role for an object
| .admin Role | What can be done |
|---|---|
| You must be associated with the .admin role for that object | create an image registry policy for an object |
| edit the image registry policy for an object | |
| delete the image registry policy for an object | |
| create a network policy for an object | |
| edit the network policy for an object | |
| delete the network policy for an object | |
| create a quota policy for an object | |
| edit the quota policy for an object | |
| delete the quota policy for an object | |
| create a security policy for an object | |
| edit the security policy for an object | |
| delete the security policy for an object | |
| add a custom policy | |
| edit the custom policy | |
| delete a custom policy |
Modern Apps Platform Learning 