Creating and assigning custom roles

As an administrator, you can create custom, cluster-specific roles that restrict users to particular functions on a cluster.

Overview

Calico Cloud comes with a set of predefined global roles that let you give permissions to users based on what they need to do. For example, a user with the Security global role has a broader set of permissions than a user with the Viewer global role. These permissions apply to all clusters.

But in some cases these global roles can be too broad.

By creating and assigning custom roles, you can be much more discriminating about what permissions you give users. For example, you could create a role that allows the user to modify network policy for a particular tier and namespace and gives view access to all other network policies. Permissions are assigned on a cluster-by-cluster basis.

Required permissions for common Calico Cloud features

Certain permissions are required for a user to access common Calico Cloud features.

Feature area	Required permissions	Notes
Alerts	• View Alerts and •View All Logs
Compliance reports	• View Compliance Reports
Dashboard	• View All Logs and • View Global Network Sets or View Network Sets and (optional) • View Compliance Reports	These permissions are required for the dashboard to fully populate. All users are granted limited dashboard metrics by having access to a cluster.
Network policies	• View or Modify Policies or • View or Modify Global Policies and (optional) • View Audit Logs or View All Logs	The Policies permissions apply to one or more namespaces. The Global Policies permissions apply to the whole cluster. These permissions are also scoped by policy tier. The optional View Audit Logs or View All Logs let users view the change history on the policies.
Service graph	• View All Logs and • View or Modify Network Sets and (optional) • View or Modify Packet Captures	Network sets can be restricted to a namespace or set to all namespaces to see all flows.
Threat feeds	• View or Modify Threat Feeds
Timeline	• View Event Logs or View All Logs

Before you begin

• You are signed in with owner or administrator permissions to the web console.

Create a custom role and add permissions

1. Click the user icon > Manage Team.
2. Under the Roles tab, click Add Role, enter a name and description for the custom role, and then click Save.
3. Select the cluster you want to want the role to apply to by clicking Cluster: and choosing the cluster.
4. Locate your new role in the list, select Action > Manage permissions > Edit, and the click Add Permission.
5. Under Permission, choose a permission type from the list. Depending on the permission, you may also need to choose a namespace or policy tier.
6. (optional) Click Add permission to add more permissions to your role for this cluster.
7. Click Save to save these permissions to the role for this cluster.
8. (optional) If you want to add the permissions for another cluster, repeat steps 3 to 7 for the cluster.

Assign custom roles to a user

1. Select the user icon > Manage Team.
2. Under the Users tab, locate the user in the list and select Action > Edit.
3. Select the checkboxes for each custom role you want to assign to this user and then click Save.

Export custom roles and apply to other managed clusters

You can export custom roles from one cluster and apply them to another cluster.

note

Importing custom roles is fully supported on managed clusters running Calico Cloud 18.3 or higher.

Prerequisites

• You connected two or more managed clusters to Calico Cloud.
• You have a managed cluster with one or more custom roles.
• You have kubectl administrator permissions for the managed clusters you want to apply custom roles to.

Procedure

1. From the cluster menu in the web console, select the managed cluster that has the custom roles you want to export.

2. Click the user icon > Manage Team.

3. Under the Roles tab, click Export Custom Roles and select Download YAML to download the custom role definitions. This file contains definitions for all the custom roles you created in this cluster.

4. For each managed cluster you want to apply the custom roles to, run the following command:

   kubectl apply -f roles.<cluster-name>.yaml

   The custom roles are available immediately for this cluster in the web console.