The CNF global permission enforcement system allows you to assign and enforce global permissions.

CNF permission enforcement aims at running the HELM commands in the context of a restricted service account. This restricted service account requires minimum permissions to perform the LCM operations. The limited-service account created based on namespace access only might not be adequate as it does not provide access to cluster-level resources.

The following diagram illustrates the CNF permission enforcement system.

An LCM operation comprises the following steps:

  1. TCA communicates with the target VIM and preconfigures it if required.
  2. TCA creates a service account with the necessary permissions (role bindings + roles and cluster roles).

    This step ensures that the CNF does not access any other resource than the one allowed by the role binding.

  3. TCA triggers HELM with the created service account.

A virtual infrastructure administrator assigns the required privileges by extending the RBAC permission model with policy and policy grants, which is illustrated in the following diagram.