OpenShift version: 4.3
OpenShift current is evolved to version 4.3
(last time when I was working on it, it was version 3.11
), I am assigned to try non-root install for DS assembly (a plugin) in CP4D cluster. what non-root means
1 | No cluster admin privileges |
We have met last 3 requirements, so focus on first one.
After doing research, the steps are clear but not that straightforward (相比3.11目前版本的配置变化还挺大的,支持的内容更丰富了)
- Create regular user
- Specify identity provider for OAuth
- Bind necessary cluster role or local role
- Run installation
4.3版本的一大变化是kubeadmin是默认的cluster-admin user,如同之前的systemadmin, kubeadmin is treated as the root user for the cluster. The password is dynamically generated and unique to your OpenShift Container Platform environment.
1 | oc login -u kubeadmin -p IVfPS-FvJZI-Vagzw-nIpVA --server=https://api.dsocp43.os.fyre.ibm.com:6443 |
password is provided in output when install is done,记下来就行,之前3.11 systemadmin是不需要password login的。
Create user and specify identity provider
Understanding identity provider configuration。 By default, only a kubeadmin user exists on your cluster. To specify an identity provider, you must create a Custom Resource (CR) that describes that identity provider and add it to the cluster.
这里我选择htpasswd当作identity provider, Configuring an HTPasswd identity provider
1 | ## htpasswd -c -B -b </path/to/users.htpasswd> <user_name> <password> |
Then create htpasswd secret:
1 | oc create secret generic htpass-secret --from-file=htpasswd=~/.htpasswd -n openshift-config |
Create Custom Resource and add it to cluster
1 | apiVersion: config.openshift.io/v1 |
1 | oc apply -f <yaml file> |
Verify:
1 | oc login -u demo -p demo |
Bind cluster role or local role
Using RBAC to define and apply permissions. Cluster administrators can use the cluster roles and bindings to control who has various access levels to the OpenShift Container Platform platform itself and all projects.
Use kubeadmin
to create custom cluster role or local role and bind
目前为止demo
user只能对自己创建的project都基本的project admin权限,如果要想操作其他project的内容,可以local bind一个project admin:
1 | oc adm policy add-role-to-user admin demo -n <target project> |
如果需要access其他resource,比如:
1 | [ERROR] [2020-02-19 15:19:21-0617] Error verifying current oauth token - Error from server (Forbidden): |
这里提示user demo
cannot get resource oauthaccesstokens
at the cluster scope, 我们可以先根据这个resource创建一个cluster role,然后bind it to user demo. 创建cluster role时可以指定操作,verb有get, list, create, delete, patch, watch, deletecollection。然后把创建好的cluster role 用cluster role binding 绑定到demo上:
1 | ## new custom custerrole oauthaccesstokens |
Check OpenShift Web can see what exactly bindings are there for user demo
,这样就很方便了。