OpenShift RBAC

Posted on | Edited on | In

OpenShift version: 4.3

OpenShift current is evolved to version 4.3 (last time when I was working on it, it was version 3.11), I am assigned to try non-root install for DS assembly (a plugin) in CP4D cluster. what non-root means

1
2
3
4
No cluster admin privileges
No root processes in containers
No host access or ssh requirements
No elevated SCCs (other than the cpd defaults)

We have met last 3 requirements, so focus on first one.

After doing research, the steps are clear but not that straightforward (相比3.11目前版本的配置变化还挺大的,支持的内容更丰富了)

  1. Create regular user
  2. Specify identity provider for OAuth
  3. Bind necessary cluster role or local role
  4. Run installation

4.3版本的一大变化是kubeadmin是默认的cluster-admin user,如同之前的systemadmin, kubeadmin is treated as the root user for the cluster. The password is dynamically generated and unique to your OpenShift Container Platform environment.

1
oc login -u kubeadmin -p IVfPS-FvJZI-Vagzw-nIpVA --server=https://api.dsocp43.os.fyre.ibm.com:6443

password is provided in output when install is done,记下来就行,之前3.11 systemadmin是不需要password login的。

Create user and specify identity provider

Understanding identity provider configuration。 By default, only a kubeadmin user exists on your cluster. To specify an identity provider, you must create a Custom Resource (CR) that describes that identity provider and add it to the cluster.

这里我选择htpasswd当作identity provider, Configuring an HTPasswd identity provider

1
2
## htpasswd -c -B -b </path/to/users.htpasswd> <user_name> <password>
htpasswd -c -B -b ~/.htpasswd demo demo

Then create htpasswd secret:

1
oc create secret generic htpass-secret --from-file=htpasswd=~/.htpasswd -n openshift-config

Create Custom Resource and add it to cluster

1
2
3
4
5
6
7
8
9
10
11
12
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: my_htpasswd_provider 
    mappingMethod: claim 
    type: HTPasswd
    htpasswd:
      fileData:
        name: htpass-secret
1
oc apply -f <yaml file>

Verify:

1
2
oc login -u demo -p demo
oc whoami

Bind cluster role or local role

Using RBAC to define and apply permissions. Cluster administrators can use the cluster roles and bindings to control who has various access levels to the OpenShift Container Platform platform itself and all projects.

Use kubeadmin to create custom cluster role or local role and bind 目前为止demo user只能对自己创建的project都基本的project admin权限,如果要想操作其他project的内容,可以local bind一个project admin:

1
oc adm policy add-role-to-user admin demo -n <target project>

如果需要access其他resource,比如:

1
2
3
[ERROR] [2020-02-19 15:19:21-0617] Error verifying current oauth token - Error from server (Forbidden): 
oauthaccesstokens.oauth.openshift.io "XKRLOq8286U3YnRbf6lsv99Uk2rD1A6wanNVxgp5NNs" is forbidden:
User "demo" cannot get resource "oauthaccesstokens" in API group "oauth.openshift.io" at the cluster scope

这里提示user demo cannot get resource oauthaccesstokens at the cluster scope, 我们可以先根据这个resource创建一个cluster role,然后bind it to user demo. 创建cluster role时可以指定操作,verb有get, list, create, delete, patch, watch, deletecollection。然后把创建好的cluster role 用cluster role binding 绑定到demo上:

1
2
3
4
5
## new custom custerrole oauthaccesstokens
oc create clusterrole oauthaccesstoken_custom \
  --verb=get,list,create,delete,patch,watch \
  --resource=oauthaccesstokens
oc adm policy add-cluster-role-to-user oauthaccesstoken_custom demo

Check OpenShift Web can see what exactly bindings are there for user demo,这样就很方便了。

0%