|
 |
47c289 |
## Configure default permission for ACO users
|
|
|
47c289 |
By default, all users which are authenticated with Openshift (system:authenticated) will be apart of the group `self-provisioners`. This role provides the basic access to create projects etc, where the user then has admin access within.
|
|
|
47c289 |
|
|
|
47c289 |
To prevent this, we must first delete this `self-provisioner` ClusterRoleBinding. Should we ever wish to restore for whatever reason, see the following which is the original contents of the object:
|
|
|
47c289 |
|
|
|
47c289 |
```
|
|
|
47c289 |
kind: ClusterRoleBinding
|
|
|
47c289 |
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
47c289 |
metadata:
|
|
|
47c289 |
name: self-provisioners
|
|
|
47c289 |
annotations:
|
|
|
47c289 |
rbac.authorization.kubernetes.io/autoupdate: 'true'
|
|
|
47c289 |
subjects:
|
|
|
47c289 |
- kind: Group
|
|
|
47c289 |
apiGroup: rbac.authorization.k8s.io
|
|
|
47c289 |
name: 'system:authenticated:oauth'
|
|
|
47c289 |
roleRef:
|
|
|
47c289 |
apiGroup: rbac.authorization.k8s.io
|
|
|
47c289 |
kind: ClusterRole
|
|
|
47c289 |
name: self-provisioner
|
|
|
47c289 |
```
|
|
|
47c289 |
|
|
|
47c289 |
Once removed, a new user which authenticates via ACO, now no longer has permission to do much of anything, beyond what a `basic-user` role provides.
|
|
|
47c289 |
|
|
|
47c289 |
To find this role originally, see resources [1][2]. To list the cluster roles and their bindings do the following `oc describe clusterrole.rbac` and `oc describe clusterrolebinding.rbac`. Searching for `system:authenticated` pointed toward which role was being automatically applied to the users which were authenticated with the cluster.
|
|
|
47c289 |
|
|
|
47c289 |
### Adding permissions to an authenticated user
|
|
|
47c289 |
We first create a group which will contain all the users for a particular proejct. eg:
|
|
|
47c289 |
|
|
|
47c289 |
```
|
|
|
47c289 |
kind: Group
|
|
|
47c289 |
apiVersion: user.openshift.io/v1
|
|
|
47c289 |
metadata:
|
|
|
47c289 |
name: project-group-admins
|
|
|
47c289 |
users:
|
|
|
47c289 |
- user2
|
|
|
47c289 |
- user1
|
|
|
47c289 |
```
|
|
|
47c289 |
|
|
|
47c289 |
Then create a project/namespace for the project. eg: `oc create namespace "project"`
|
|
|
47c289 |
|
|
|
47c289 |
Next create a rolebinding for the group to a role. We want to give members of this group, admin access within the namespace. eg:
|
|
|
47c289 |
|
|
|
47c289 |
```
|
|
|
47c289 |
kind: RoleBinding
|
|
|
47c289 |
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
47c289 |
metadata:
|
|
|
47c289 |
name: project-admins
|
|
|
47c289 |
namespace: project
|
|
|
47c289 |
subjects:
|
|
|
47c289 |
- kind: Group
|
|
|
47c289 |
apiGroup: rbac.authorization.k8s.io
|
|
|
47c289 |
name: project-group-admins
|
|
|
47c289 |
roleRef:
|
|
|
47c289 |
apiGroup: rbac.authorization.k8s.io
|
|
|
47c289 |
kind: ClusterRole
|
|
|
47c289 |
name: admin
|
|
|
47c289 |
```
|
|
|
47c289 |
|
|
|
47c289 |
Users listed in the group will now have admin access to the project/namespace and nothing else within the cluster, which is what we want.
|
|
|
47c289 |
|
|
|
47c289 |
|
|
|
47c289 |
### Resources
|
|
|
47c289 |
- [1] Using RBAC to define and apply permissions https://docs.openshift.com/container-platform/4.4/authentication/using-rbac.html#default-roles_using-rbac
|
|
|
47c289 |
- [2] Using OIDC to authenticate https://docs.openshift.com/container-platform/4.4/authentication/identity_providers/configuring-oidc-identity-provider.html#configuring-oidc-identity-provider
|
|
|
47c289 |
|