OpenShift using RBAC permissions and identity verification solutions. First of all:
the cluster administrator can use the cluster roles and bind to control who has access to various levels of OpenShift Container Platform platform itself and all the projects.
Developers can use the role of local and binding to control who has access to their projects. Please note that the authorization is a separate step with the authentication, identity verification to perform operations more is to determine the identity of the person.
Several important concepts:
rule: the operating rights to the resources, such as whether to create, get, list pod and other resources
role: a collection of rules, rules can be understood as an entity.
Binding: association between the user and / or group roles.
RBAC role and control authority to bind two levels:
rolebinding:
called basic local namespace bindings
clusterrolebindings:
binding global entire cluster
The following is the default cluster cluster role
For example, we use the user user1 bound by roelbinding admin privileges that this role can only be used for user admin rights to the current project, if we have to use clusterrolebinding bind the entire cluster of admin
The following figures explain a good relationship between them
Experiment:
We want to create a rolebinding, so there are get, list and other privileges, and bound to the user dev above
1, create a project named dev
OC the Create ns dev
2, create a rolebinding
[core@w1 ~]$ oc create role dev-rolebinding --verb=get,list,create,update,delete,watch --resource=pod,deployment -n dev --dry-run=true -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: dev-rolebinding
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- create
- update
- delete
- watch
- apiGroups:
- extensions
resources:
- deployments
verbs:
- get
- list
- create
- update
- delete
- watch
[core@w1 ~]$ Above did not really perform, let's actually create next.
[core@w1 ~]$ oc create role dev-rolebinding --verb=get,list,create,update,delete,watch --resource=pod,deployment -n dev
role.rbac.authorization.k8s.io/dev-rolebinding createdWe rolebinding and dev1 user to bind this namespace in dev
[core@w1 ~]$ oc adm policy add-role-to-user dev-rolebinding dev1 --role-namespace=dev -n dev
Warning: User 'dev1' not found
role.rbac.authorization.k8s.io/dev-rolebinding added: "dev1"
[core@w1 ~]$ You can see the prompt, the user is not within dev1 user clusters, let's create one.
1, the first use on machines equipped with httpd-tools htpasswd to create a user and specify a password, and copy the file to the user can be authenticated openshift machine
[root@pub ~]# htpasswd -c -B -b /tmp/htpasswd-dev1 dev1 dev1
Adding password for user dev1
[root@pub ~]# scp /tmp/htpasswd-dev1 [email protected]:/tmp
htpasswd-dev1 100% 66 76.9KB/s 00:00
[root@pub ~]# In the following the machine operations openshift:
[root@m1 ~]# oc create secret generic htpass-secret-dev1 --from-file=htpasswd=/tmp/htpasswd-dev1 -n openshift-config
secret/htpass-secret-dev1 created
[root@m1 ~]# vi httpd-passwd.yaml
[root@m1 ~]# cat httpd-passwd.yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: my_htpasswd_provider-demo
mappingMethod: claim
type: HTPasswd
htpasswd:
fileData:
name: htpass-secret-dev1
[root@m1 ~]# oc apply -f httpd-passwd.yaml
oauth.config.openshift.io/cluster configured
[root@m1 ~]#
In this case the user tries to log in using dev1
[core@w1 ~]$ oc login -u dev1
Authentication required for https://192.168.1.131:6443 (openshift)
Username: dev1
Password:
Login successful.
You don't have any projects. You can try to create a new project, by running
oc new-project <projectname>
[Core @ W1 ~] $
dev1 user has been created successfully, empowerment again
[W1 Core @ ~] $ OC adm Policy the Add-to-the User Role-dev-rolebinding dev1 --role-namespace = -n dev dev
role.rbac .authorization.k8s.io / dev-rolebinding added: "DEV1"
[W1 Core @ ~] $
At this point the user to view dev1 use this dev project of POD
[Core @ M1 ~] $ OC GET POD, Deployment -n dev
No Resources found in dev namespace.
[Core @ M1 ~] $
try to view the default pod of this project, should be rejected
[Core @ M1 ~] $ OC GET POD, Deployment -n default
Error from Server (Forbidden): PODS iS Forbidden: the User "dev1" CAN not List Resource "PODS" in API Group "" in at the namespace "default"
Error Server from (Forbidden): deployments.extensions IS Forbidden: the User "dev1" not CAN Resource List "the Deployments" in API Group "Extensions" in at The namespace "default"
[Core @ M1 ~] $
so far been completed roebinding
Clusterrolebinding under the following test
creation clusterrolebinding, and bind user and dev1
[core@w1 ~]$ oc create clusterrole clyster-rolebinding --verb=get,list,create,update,delete,watch --resource=pod,deployment,ns -n dev
clusterrole.rbac.authorization.k8s.io/clyster-rolebinding created
[core@w1 ~]$ oc adm policy add-cluster-role-to-user dev-rolebinding dev1
clusterrole.rbac.authorization.k8s.io/dev-rolebinding added: "dev1"
[core@w1 ~]$
下面再次利用dev1 用户查看用户
[core@w1 ~]$ oc whoami
dev1
[core@w1 ~]$ oc get pod -n default
NAME READY STATUS RESTARTS AGE
appv1-5d8bc7bc75-bh4nd 1/1 Running 0 15h
appv1-5d8bc7bc75-gbqcb 1/1 Running 0 7d1h
appv1-5d8bc7bc75-lslxz 1/1 Running 0 15h
hello-openshift-1-585zl 1/1 Running 0 15h
myapp-1-74f5dcc-5t4lv 1/1 Running 0 15h
myapp-1-74f5dcc-79slr 1/1 Running 0 15h
myapp-1-74f5dcc-bztkc 1/1 Running 0 7d21h
myapp-6d9dcf58d6-6r7sz 1/1 Running 0 15h
myapp-6d9dcf58d6-hl6n2 1/1 Running 0 7d21h
myapp-6d9dcf58d6-m5f7x 1/1 Running 0 15h
myapp-deploy-6965d5bd75-5s6kj 1/1 Running 0 15h
myapp-deploy-6965d5bd75-qgqhn 1/1 Running 0 6d16h
myapp-deploy-6965d5bd75-vt7x4 1/1 Running 0 15h
test-nginx-58bfbcc86d-nffgg 1/1 Running 0 15h
test-test-6f7947d649-jp2zj 1/1 Running 0 15h
[core@w1 ~]$
Dev1 the user a cluster administrator
[root @ M1 ~] # adm Policy the Add-OC-Cluster Cluster Role-to-the User-ADMIN dev1
clusterrole.rbac.authorization.k8s.io/cluster-admin added: "dev1"