https://issues.redhat.com/browse/ACM-29169--new fine grain and reorg …#8606
https://issues.redhat.com/browse/ACM-29169--new fine grain and reorg …#8606swopebe wants to merge 5 commits into2.16_stagefrom
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: swopebe The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
| @@ -0,0 +1,9 @@ | |||
| [#fine-grain-intro] | |||
There was a problem hiding this comment.
new intro for review
| *Required access:* Cluster administrator | ||
|
|
||
| .Prerequisites | ||
| == Assigning fine-grained role-based access control in the console |
There was a problem hiding this comment.
Ignore this, changes will be made in a different PR--do not review this file.
| @@ -0,0 +1,112 @@ | |||
| [#fine-grained-rbac-roles] | |||
There was a problem hiding this comment.
New content for review.
| * xref:../secure_clusters/rbac_implement_rhacm.adoc#rhacm-rbac-implement[Implementing role-based access control] | ||
| * xref:../secure_clusters/fine_grain_rbac_cli.adoc#fine-grain-rbac-cli[Implementing fine-grained role-based access control in the terminal (Technology Preview)] | ||
| * xref:../secure_clusters/fine_grain_rbac_ui.adoc#fine-grain-rbac-ui[Implementing fine-grained role-based access control in the console (Technology Preview)] | ||
| * xref:../secure_clusters/fine_grain_rbac_intro.adoc#fine-grain-intro[Fine-grained role-based access control overview] |
There was a problem hiding this comment.
This will be the only file needed in this intro.
| [#fine-grain-enable] | ||
| = Enabling fine-grained role-based access control for virtualization | ||
|
|
||
| {acm} supports fine-grained role-based access control (RBAC) for virtual machine scenarios. As a cluster administrator, you can manage and control permissions at the namespace level and cluster level on your managed clusters. Grant permissions to a virtual machine namespace within a cluster without granting permission to the entire managed cluster. |
There was a problem hiding this comment.
I would like to combine the last two sentences here and say that you can manage and grant permissions to other users.
the idea would be that as the super top admin, they can give permissions to others at namespace or cluster level
|
|
||
| {acm} supports fine-grained role-based access control (RBAC) for virtual machine scenarios. As a cluster administrator, you can manage and control permissions at the namespace level and cluster level on your managed clusters. Grant permissions to a virtual machine namespace within a cluster without granting permission to the entire managed cluster. | ||
|
|
||
| Enabling fine-grained RBAC significantly changes how the console displays search results and manages access for application lifecycles, governance, and observability. |
There was a problem hiding this comment.
@mshort55 any thoughts on this? I wasnt as involved with other this affected other areas but i was aware there were some search issues that happened when enabling fine-grained rbac
|
|
||
| - *Optional:* Install the _Migration Toolkit for Virtualization operator_ if you plan to perform virtual migrations. (link--= Migrating virtual machines between clusters then check the OCP link)) | ||
|
|
||
| - *Note:* If you enable the `cnv-mtv-integrations` feature in {acm-short}, the system automatically installs and configures both the OpenShift Virtualization and MTV operators for you. |
There was a problem hiding this comment.
can we replace system with acm?
https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.15/html/virtualization/acm-virt#migrate-vm
can we link to this doc about enabling because there are a bit more steps involve to enable it correctly so i dont want it to sound misleading when mentioning automatically
|
|
||
| .Prerequisites | ||
|
|
||
| See the following prerequisites that are needed to enable fine-grained role-based access control: |
There was a problem hiding this comment.
seems like there is a request to add virtualization wording here see the google doc
https://docs.google.com/document/d/1OiP9vx7xMYkMPwTjSV5rofEgNAy__dW46Qrl2pFpuCs/edit?disco=AAAByzuBN4k
There was a problem hiding this comment.
We add it in the title and the description.
| See the following steps to enable the `fine-grained-rbac` component in the `MultiClusterHub` resource: | ||
|
|
||
| . Run the following command to patch the resource. The default name of the custom resource is `multiclusterhub`, and `open-cluster-management` is the default namespace: If you have a different name or namespace, update the command: | ||
| //can this be changed? |
There was a problem hiding this comment.
this whole part Run the following command to patch the resource. The default name of the custom resource is multiclusterhub, and open-cluster-managementis the default namespace: If you have a different name or namespace, update the command:
can be removed in my opinion if there is a conventional way it is doc to enabling a feature
I was looking at others and it seems like just providing the oc command works?
what do you think @swopebrandi1
| [#fine-grain-intro] | ||
| = Fine-grained role-based access control for virtual machines | ||
|
|
||
| {acm} supports fine-grained role-based access control (RBAC) for virtual machine scenarios. As a cluster administrator, you can manage and control permissions at the namespace level and cluster level on your managed clusters. Grant permissions to a virtual machine namespace within a cluster without granting permission to the entire managed cluster. |
There was a problem hiding this comment.
this seems to be duplicated I saw this in the enable part also
but i assume this is the correct spot?
if so my previous comment on that should be here instead
There was a problem hiding this comment.
We need a "short description" in all the topics, most of this was already there. We have to have something here for the introduction.
| | Grants read-only access to `kubevirt` resources. | ||
| |=== | ||
|
|
||
| * *Scenario two:* Administrative privilege in the console |
There was a problem hiding this comment.
i would like to add the fleet virtualization ui here
2 participants
…of content