[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: cluster-roles

I don't think I've have my robot use the `projectrequests` endpoint.  Instead, I'd grant my robot the power to
  1. Create projects
  2. Update namespaces
  3. Create resourcequotas, limitranges
  4. Bind robot to "admin"
Binding the robot to "admin" seems a little bit odd, but the rules for binding roles to subjects require that the the binder (robot in your case) have at least all the permissions of the roles its binding.  This prevents a binder from escalating privileges by granting more power to the bindee.

On Thu, Aug 4, 2016 at 2:04 PM, Srinivas Naga Kotaru (skotaru) <skotaru cisco com> wrote:

We want to disable default project creation by authenticated users and let it delegate to a user. All users should to go a central provision system and ask for project, project quota, and provided admin/edit/viewers members. Once project was created, quota’s were setup and add appropriate admin/edit and viewers, authenticated user can create apps themselves. Essentially we want to control initial project, quota , project members

We don’t’ want to give cluster-admin and admin to this generic user being used by orchestration system and limit its capabilities by using OSE 3.x roles features.

This is my understanding :

oadm policy remove-cluster-role-from-group self-provisioner system:authenticated 
oadm policy add-cluster-role-to-user self-provisioner <robot user>
What other roles needed by robot user to setup quotas on projects, add users to admin/edit and viewers to projects ??
oc describe clusterPolicyBindings :default command listing existing roles starting system-* but not sure which roles really required to perform above jobs.
Can you help here?

Srinivas Kotaru

users mailing list
users lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]