Role-based Access Control
This page provides instructions for creating users of varying permission levels in each Cortex Certifai Enterprise instance and linking them to your cluster's RBAC setup.
Set the following parameters in the certifai operator.yaml to "rbac" (default=none):
Authentication via RBAC
This section describes how to setup authentication to Cortex Certifai.
Each Cortex Certifai instance in your Kubernetes cluster has a deployment of the Cortex Certifai Console, which can be used to view results from Certifai scans.
Each instance of Cortex Certifai Enterprise installs three Kubernetes roles into the cluster. An administrator may then bind these roles with a mechanism of their choice to give users and/or groups from their organization permissions to access, control, and edit Cortex Certifai instances in an Enterprise installation.
certifai-user- This user has access to the Certifai Console and can access all remote scan commands using the CLI
certifai-admin- This user has access to the Certifai Console, remote scans using the CLI, Certifai Policy, as well as all Kubernetes and Operator configurations
certifai-policy- This user has access to Certifai Policy, along with the ability to invoke all remote scan commands using the CLI.
The roles described above are created in each namespace that the Cortex Certifai Operator is installed to. A cluster administrator can use these roles to associate a user email or group where they hold membership by using a
Administrators may add as many role bindings as required for each role through multiple files/
A sample RoleBinding is provided below that gives a user email
firstname.lastname@example.org access to the
certifai-user role. This template can be extended / modified as required to give appropriate access to a Cortex Certifai installation on a specific namespace to as many users and groups as required.
---kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:name: certifai-user-binding# The subject that will be associated with the rolesubjects:# 'User' or 'Group'- kind: UserapiGroup: rbac.authorization.k8s.ioname: email@example.com- kind: GroupapiGroup: rbac.authorization.k8s.io# use github-org:github-team in case of Github Integrationname: exampleorg-ds-team# The role that the subject(s) will be associated toroleRef:apiGroup: rbac.authorization.k8s.iokind: Role# 'certifai-user', 'certifai-policy', 'certifai-admin'name: certifai-user
The subjects (user emails or groups) that these role bindings apply to are tied to your cluster's RBAC setup.
After completing the sections above, users who have been given explicit access to the
certifai-admin roles should be given a
kubeconfig file that can be passed on to the Certifai remote CLI. More information is provided in the Scan Verification section.