Version: 1.3.13

Role-based Access Control

This page provides instructions for creating users of varying permission levels in each Cortex Certifai Enterprise instance and linking them to your cluster's RBAC setup.

Prerequisites

Set the following parameters in the certifai operator.yaml to "rbac" (default=none):

  • spec/console/authorization-type
  • spec/policy/authorization-type

Authentication via RBAC

This section describes how to setup authentication to Cortex Certifai.

Each Cortex Certifai instance in your Kubernetes cluster has a deployment of the Cortex Certifai Console, which can be used to view results from Certifai scans.

Each instance of Cortex Certifai Enterprise installs three Kubernetes roles into the cluster. An administrator may then bind these roles with a mechanism of their choice to give users and/or groups from their organization permissions to access, control, and edit Cortex Certifai instances in an Enterprise installation.

  1. certifai-user - This user has access to the Certifai Console and can access all remote scan commands using the CLI
  2. certifai-admin - This user has access to the Certifai Console, remote scans using the CLI, Certifai Policy, as well as all Kubernetes and Operator configurations
  3. certifai-policy - This user has access to Certifai Policy, along with the ability to invoke all remote scan commands using the CLI.

Role Enforcement

The roles described above are created in each namespace that the Cortex Certifai Operator is installed to. A cluster administrator can use these roles to associate a user email or group where they hold membership by using a RoleBinding.

Administrators may add as many role bindings as required for each role through multiple files/ RoleBinding definitions.

A sample RoleBinding is provided below that gives a user email jdoe@mail.com access to the certifai-user role. This template can be extended / modified as required to give appropriate access to a Cortex Certifai installation on a specific namespace to as many users and groups as required.

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: certifai-user-binding
# The subject that will be associated with the role
subjects:
# 'User' or 'Group'
- kind: User
apiGroup: rbac.authorization.k8s.io
name: jdoe@mail.com
- kind: Group
apiGroup: rbac.authorization.k8s.io
# use github-org:github-team in case of Github Integration
name: exampleorg-ds-team
# The role that the subject(s) will be associated to
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
# 'certifai-user', 'certifai-policy', 'certifai-admin'
name: certifai-user

Next Steps

After completing the sections above, users who have been given explicit access to the certifai-user or certifai-admin roles should be given a kubeconfig file that can be passed on to the Certifai remote CLI. More information is provided in the Scan Verification section.