Global IAM Roles
EWC Kubernetes Service (K8S) defines three roles for managing user permissions: owner, editor, and viewer. These roles are hierarchical, meaning each role inherits the permissions of the one below it:
- Viewer: Provides read-only access to view project (tenancy) resources.
- Editor: Includes all permissions of the viewer, with the additional ability to create, edit, and delete clusters within the project.
- Owner: Includes all permissions of the editor, with the added capability to manage permissions and access for the project.
These roles in K8S are mapped to IAM roles, and assigning a role to a user is managed through IAM and reflected automatically to the Kubernetes service the next time the user logs in to the application.
The IAM roles and their corresponding KKP roles are as follows:
- ewc-app-admin → Owner
- ewc-app-maintainer → Editor
- ewc-app-user → Viewer
Local Roles
The system allows the creation of local service accounts - these are stored in the KKP locally and are used for interaction with the system through the API interface. IAM roles do not apply to these accounts, instead a Viewer/Editor/Owner role is assigned to them manually.