Creating and assigning custom roles
As an administrator, you can create custom, cluster-specific roles that restrict users to particular functions on a cluster.
Overview
Calico Cloud comes with a set of predefined global roles that let you give permissions to users based on what they need to do. For example, a user with the Security global role has a broader set of permissions than a user with the Viewer global role. These permissions apply to all clusters.
But in some cases these global roles can be too broad.
By creating and assigning custom roles, you can be much more discriminating about what permissions you give users. For example, you could create a role that allows the user to modify network policy for a particular tier and namespace and gives view access to all other network policies. Permissions are assigned on a cluster-by-cluster basis.
Required permissions for common Calico Cloud features
Certain permissions are required for a user to access common Calico Cloud features.
Feature area | Required permissions | Notes |
---|---|---|
Alerts | • View or Modify Alerts and •View Event Logs or View All Logs | |
Compliance reports | • View Compliance Reports | |
Dashboard | • View All Logs and • View Global Network Sets or View Network Sets and (optional) • View Compliance Reports | These permissions are required for the dashboard to fully populate. All users are granted limited dashboard metrics by having access to a cluster. |
Network policies | • View or Modify Policies or • View or Modify Global Policies and (optional) • View Audit Logs or View All Logs | The Policies permissions apply to one or more namespaces. The Global Policies permissions apply to the whole cluster. These permissions are also scoped by policy tier. The optional View Audit Logs or View All Logs let users view the change history on the policies. |
Service graph | • View All Logs and • View or Modify Network Sets and (optional) • View or Modify Packet Captures | Network sets can be restricted to a namespace or set to all namespaces to see all flows. |
Threat feeds | • View or Modify Threat Feeds | |
Timeline | • View Event Logs or View All Logs |
Before you begin
- You are signed in with owner or administrator permissions to the Calico Cloud Manager UI.
Create a custom role and add permissions
- Click the user icon > Manage Team.
- Under the Roles tab, click Add Role, enter a name and description for the custom role, and then click Save.
- Select the cluster you want to want the role to apply to by clicking Cluster: and choosing the cluster.
- Locate your new role in the list, select Action > Manage permissions > Edit, and the click Add Permission.
- Under Permission, choose a permission type from the list. Depending on the permission, you may also need to choose a namespace or policy tier.
- (optional) Click Add permission to add more permissions to your role for this cluster.
- Click Save to save these permissions to the role for this cluster.
- (optional) If you want to add the permissions for another cluster, repeat steps 3 to 7 for the cluster.
Assign custom roles to a user
- Select the user icon > Manage Team.
- Under the Users tab, locate the user in the list and select Action > Edit.
- Select the checkboxes for each custom role you want to assign to this user and then click Save.
Export custom roles and apply to other managed clusters
You can export custom roles from one cluster and apply them to another cluster.
Importing custom roles is fully supported on managed clusters running Calico Cloud 18.3 or higher.
Prerequisites
- You connected two or more managed clusters to Calico Cloud.
- You have a managed cluster with one or more custom roles.
- You have
kubectl
administrator permissions for the managed clusters you want to apply custom roles to.
Procedure
-
From the cluster menu in the Calico Cloud Manager UI, select the managed cluster that has the custom roles you want to export.
-
Click the user icon > Manage Team.
-
Under the Roles tab, click Export Custom Roles and select Download YAML to download the custom role definitions. This file contains definitions for all the custom roles you created in this cluster.
-
For each managed cluster you want to apply the custom roles to, run the following command:
kubectl apply -f roles.<cluster-name>.yaml
The custom roles are available immediately for this cluster in the Calico Cloud Manager UI.