[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Node authentication changes (role/rolebinding update required)

Giving higher levels of access than node-reader to a user is effectively root on that machine, use with care.

On Oct 8, 2015, at 1:19 PM, Jordan Liggitt <jliggitt redhat com> wrote:

TL;DR: If you have an existing dev cluster and policy in etcd, run these commands after updating to master:

oadm policy reconcile-cluster-roles --confirm
oadm policy reconcile-cluster-role-bindings --confirm

Authentication/authorization to the Kubelet API in OpenShift has changed with https://github.com/openshift/origin/pull/4873.

Previously, a client certificate gained you full access to the Kubelet API. Now, the same authn/authz chain used in the master API applies to the Kubelet API. This means that OAuth and service account tokens can now be used to authenticate Kubelet API calls. It also requires running the above commands when upgrading to make sure the newly defined roles and default permissions are in place.

You can grant access to parts of the Kubelet API using OpenShift policy commands. The following roles grant access to /metrics and /stats endpoints on the nodes:
  • system:node-reader (only allows read access to node metrics and stats and node API objects)
  • system:cluster-reader (has broad read access)
  • system:cluster-admin (has all permissions on all objects)

The following roles grant full access to the kubelet API:
  • system:node-admin
  • system:cluster-admin

You can add those roles to any user or group with the normal policy commands. For example:

oadm policy add-cluster-role-to-user system:node-reader bob

dev mailing list
dev lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]