diff --git a/modules/ocp4/pages/sop_disable_provisioners_role.adoc b/modules/ocp4/pages/sop_disable_provisioners_role.adoc new file mode 100644 index 0000000..0808696 --- /dev/null +++ b/modules/ocp4/pages/sop_disable_provisioners_role.adoc @@ -0,0 +1,70 @@ +== SOP Disable `self-provisioners` Role + +=== Resources + +- [1] https://docs.openshift.com/container-platform/4.4/applications/projects/configuring-project-creation.html#disabling-project-self-provisioning_configuring-project-creation + + +=== Disabling self-provisioners role +By default, when a user authenticates with Openshift via Oauth, it is part of the `self-provisioners` group. This group provides the ability to create new projects. On CentOS CI we do not want users to be able to create their own projects, as we have a system in place where we create a project and control the administrators of that project. + +To disable the self-provisioner role do the following as outlined in the documentation[1]. + +---- +oc describe clusterrolebinding.rbac self-provisioners + +Name: self-provisioners +Labels: +Annotations: rbac.authorization.kubernetes.io/autoupdate=true +Role: + Kind: ClusterRole + Name: self-provisioner +Subjects: + Kind Name Namespace + ---- ---- --------- + Group system:authenticated:oauth +---- + +Remove the subjects that the self-provisioners role applies to. + +---- +oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}' +---- + +Verify the change occurred successfully + +---- +oc describe clusterrolebinding.rbac self-provisioners +Name: self-provisioners +Labels: +Annotations: rbac.authorization.kubernetes.io/autoupdate: true +Role: + Kind: ClusterRole + Name: self-provisioner +Subjects: + Kind Name Namespace + ---- ---- --------- +---- + +When the cluster is updated to a new version, unless we mark the role appropriately, the permissions will be restored after the update is complete. + +Verify that the value is currently set to be restored after an update: + +---- +oc get clusterrolebinding.rbac self-provisioners -o yaml +---- + +---- +apiVersion: authorization.openshift.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + ... +---- + +We wish to set this `rbac.authorization.kubernetes.io/autoupdate` to `false`. To patch this do the following. + +---- +oc patch clusterrolebinding.rbac self-provisioners -p '{ "metadata": { "annotations": { "rbac.authorization.kubernetes.io/autoupdate": "false" } } }' +---- diff --git a/modules/ocp4/pages/sops.adoc b/modules/ocp4/pages/sops.adoc index 4c509ed..998ca86 100644 --- a/modules/ocp4/pages/sops.adoc +++ b/modules/ocp4/pages/sops.adoc @@ -6,3 +6,4 @@ - xref:sop_retrieve_ocp4_cacert.adoc[SOP Retrieve OCP4 CACERT] - xref:sop_configure_image_registry_operator.adoc[SOP Configure the Image Registry Operator] - xref:sop_configure_oauth_ipa.adoc[SOP Configure oauth Authentication via IPA/Noggin] +- xref:sop_disable_provisioners_role.adoc[SOP Disable the Provisioners Role]