In order to decentralise and effectively manage access control to servers (SSH) and Kubernetes, we need to establish group based distributed access control.
This is defined and held in AzureAD, and integrated with Infra HQ.
In order to decentralise and effectively manage access control to servers (SSH) and Kubernetes, we need to establish group based distributed access control.
This is defined and held in AzureAD, and integrated with Infra HQ.
Confirm the roles required for access covering VNC for Tango Controls GUIs, SSH (limited account and sudo - node types: gateway/infravm, cluster, storage, CBF), Kubernetes access at cluster and namespace level (central cluster, MCCS Station, Dish LMC).
Map the roles to groups required for the different environments (Mid/Low/Station/Dish etc.)
Develop the groups with IT, and assign group maintainers
Connect groups to Infra HQ configuration
Update configuration on fleet to match (infrahq agent and ssh configuration)
Update access policy and user documentation to reflect changes