From b603b6151b8540aa5deb3ffa66af2c95ce66620b Mon Sep 17 00:00:00 2001 From: Lars Kellogg-Stedman Date: Fri, 17 Jun 2022 17:00:13 -0400 Subject: [PATCH 1/2] Configure GitHub IDP This commit adds a GitHub identity provider, and disables the self-provisioner role for all counts. Currently, GitHub auth access is limited to the ocp-on-nerc/nerc-ops group. --- .../oauths/cluster/kustomization.yaml | 4 ++++ .../config.openshift.io/oauths/cluster/oauth.yaml | 9 +++++++++ .../self-provisioners/clusterrolebinding.yaml | 11 +++++++++++ .../self-provisioners/kustomization.yaml | 4 ++++ cluster-scope/overlays/common/kustomization.yaml | 2 ++ .../overlays/nerc-ocp-infra/kustomization.yaml | 3 +++ .../nerc-ocp-infra/oauths/cluster_patch.yaml | 15 +++++++++++++++ 7 files changed, 48 insertions(+) create mode 100644 cluster-scope/base/config.openshift.io/oauths/cluster/kustomization.yaml create mode 100644 cluster-scope/base/config.openshift.io/oauths/cluster/oauth.yaml create mode 100644 cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/self-provisioners/clusterrolebinding.yaml create mode 100644 cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/self-provisioners/kustomization.yaml create mode 100644 cluster-scope/overlays/nerc-ocp-infra/oauths/cluster_patch.yaml diff --git a/cluster-scope/base/config.openshift.io/oauths/cluster/kustomization.yaml b/cluster-scope/base/config.openshift.io/oauths/cluster/kustomization.yaml new file mode 100644 index 00000000..e7b18965 --- /dev/null +++ b/cluster-scope/base/config.openshift.io/oauths/cluster/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - oauth.yaml diff --git a/cluster-scope/base/config.openshift.io/oauths/cluster/oauth.yaml b/cluster-scope/base/config.openshift.io/oauths/cluster/oauth.yaml new file mode 100644 index 00000000..1d4f914c --- /dev/null +++ b/cluster-scope/base/config.openshift.io/oauths/cluster/oauth.yaml @@ -0,0 +1,9 @@ +apiVersion: config.openshift.io/v1 +kind: OAuth +metadata: + annotations: + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/create-only: "true" + name: cluster diff --git a/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/self-provisioners/clusterrolebinding.yaml b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/self-provisioners/clusterrolebinding.yaml new file mode 100644 index 00000000..e72df51e --- /dev/null +++ b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/self-provisioners/clusterrolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "false" + name: self-provisioners +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: self-provisioner +subjects: [] diff --git a/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/self-provisioners/kustomization.yaml b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/self-provisioners/kustomization.yaml new file mode 100644 index 00000000..464a5f99 --- /dev/null +++ b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/self-provisioners/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - clusterrolebinding.yaml diff --git a/cluster-scope/overlays/common/kustomization.yaml b/cluster-scope/overlays/common/kustomization.yaml index c44cbcaf..95110c33 100644 --- a/cluster-scope/overlays/common/kustomization.yaml +++ b/cluster-scope/overlays/common/kustomization.yaml @@ -4,3 +4,5 @@ resources: - machineconfigs/99-master-ssh.yaml - machineconfigs/99-worker-ssh.yaml - ../../base/operators.coreos.com/subscriptions/external-secrets-operator +- ../../base/config.openshift.io/oauths/cluster +- ../../base/rbac.authorization.k8s.io/clusterrolebindings/self-provisioners diff --git a/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml index 020b0af7..d4fba761 100644 --- a/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml +++ b/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml @@ -6,3 +6,6 @@ resources: - ../../bundles/acm - ../../base/operators.coreos.com/subscriptions/cert-manager - clusterversion.yaml + +patches: + - path: oauths/cluster_patch.yaml diff --git a/cluster-scope/overlays/nerc-ocp-infra/oauths/cluster_patch.yaml b/cluster-scope/overlays/nerc-ocp-infra/oauths/cluster_patch.yaml new file mode 100644 index 00000000..701caff8 --- /dev/null +++ b/cluster-scope/overlays/nerc-ocp-infra/oauths/cluster_patch.yaml @@ -0,0 +1,15 @@ +apiVersion: config.openshift.io/v1 +kind: OAuth +metadata: + name: cluster +spec: + identityProviders: + - name: github + mappingMethod: claim + type: GitHub + github: + clientID: 77915cd4cdb5c4df7723 + clientSecret: + name: github-client-secret + teams: + - ocp-on-nerc/nerc-ops From 3a63cab45fb337546d6606e720e47671b077bc8f Mon Sep 17 00:00:00 2001 From: Lars Kellogg-Stedman Date: Fri, 17 Jun 2022 17:47:55 -0400 Subject: [PATCH 2/2] Configure RBAC for cluster admin access Grant members of the `cluster-admins` group both `cluster-reader` and `sudoer` access. This permits members of this group to see most cluster resources, and to impersonate other users, including the `system:admin` user for full cluster-admin access. From the command line, you can use the `--as` option to impersonate the admin user: oc --as system:admin create ns example --- .../clusterrolebinding.yaml | 12 ++++++++++++ .../kustomization.yaml | 4 ++++ .../clusterrolebinding.yaml | 12 ++++++++++++ .../kustomization.yaml | 4 ++++ .../groups/cluster-admins/group.yaml | 5 +++++ .../groups/cluster-admins/kustomization.yaml | 4 ++++ .../cluster-admin-rbac/kustomization.yaml | 6 ++++++ cluster-scope/overlays/common/kustomization.yaml | 1 + .../groups/cluster-admins_patch.yaml | 16 ++++++++++++++++ .../overlays/nerc-ocp-infra/kustomization.yaml | 1 + 10 files changed, 65 insertions(+) create mode 100644 cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-reader/clusterrolebinding.yaml create mode 100644 cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-reader/kustomization.yaml create mode 100644 cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-sudoer/clusterrolebinding.yaml create mode 100644 cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-sudoer/kustomization.yaml create mode 100644 cluster-scope/base/user.openshift.io/groups/cluster-admins/group.yaml create mode 100644 cluster-scope/base/user.openshift.io/groups/cluster-admins/kustomization.yaml create mode 100644 cluster-scope/bundles/cluster-admin-rbac/kustomization.yaml create mode 100644 cluster-scope/overlays/nerc-ocp-infra/groups/cluster-admins_patch.yaml diff --git a/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-reader/clusterrolebinding.yaml b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-reader/clusterrolebinding.yaml new file mode 100644 index 00000000..08875cac --- /dev/null +++ b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-reader/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-admins-nerc-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-reader +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: cluster-admins diff --git a/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-reader/kustomization.yaml b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-reader/kustomization.yaml new file mode 100644 index 00000000..464a5f99 --- /dev/null +++ b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-reader/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - clusterrolebinding.yaml diff --git a/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-sudoer/clusterrolebinding.yaml b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-sudoer/clusterrolebinding.yaml new file mode 100644 index 00000000..2451e772 --- /dev/null +++ b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-sudoer/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-admins-nerc-sudoer +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: sudoer +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: cluster-admins diff --git a/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-sudoer/kustomization.yaml b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-sudoer/kustomization.yaml new file mode 100644 index 00000000..464a5f99 --- /dev/null +++ b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-sudoer/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - clusterrolebinding.yaml diff --git a/cluster-scope/base/user.openshift.io/groups/cluster-admins/group.yaml b/cluster-scope/base/user.openshift.io/groups/cluster-admins/group.yaml new file mode 100644 index 00000000..07a49b55 --- /dev/null +++ b/cluster-scope/base/user.openshift.io/groups/cluster-admins/group.yaml @@ -0,0 +1,5 @@ +apiVersion: user.openshift.io/v1 +kind: Group +metadata: + name: cluster-admins +users: [] diff --git a/cluster-scope/base/user.openshift.io/groups/cluster-admins/kustomization.yaml b/cluster-scope/base/user.openshift.io/groups/cluster-admins/kustomization.yaml new file mode 100644 index 00000000..32f10e89 --- /dev/null +++ b/cluster-scope/base/user.openshift.io/groups/cluster-admins/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - group.yaml diff --git a/cluster-scope/bundles/cluster-admin-rbac/kustomization.yaml b/cluster-scope/bundles/cluster-admin-rbac/kustomization.yaml new file mode 100644 index 00000000..c5a71773 --- /dev/null +++ b/cluster-scope/bundles/cluster-admin-rbac/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-sudoer +- ../../base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-reader +- ../../base/user.openshift.io/groups/cluster-admins diff --git a/cluster-scope/overlays/common/kustomization.yaml b/cluster-scope/overlays/common/kustomization.yaml index 95110c33..7417e9e8 100644 --- a/cluster-scope/overlays/common/kustomization.yaml +++ b/cluster-scope/overlays/common/kustomization.yaml @@ -6,3 +6,4 @@ resources: - ../../base/operators.coreos.com/subscriptions/external-secrets-operator - ../../base/config.openshift.io/oauths/cluster - ../../base/rbac.authorization.k8s.io/clusterrolebindings/self-provisioners +- ../../bundles/cluster-admin-rbac/ diff --git a/cluster-scope/overlays/nerc-ocp-infra/groups/cluster-admins_patch.yaml b/cluster-scope/overlays/nerc-ocp-infra/groups/cluster-admins_patch.yaml new file mode 100644 index 00000000..e67e9324 --- /dev/null +++ b/cluster-scope/overlays/nerc-ocp-infra/groups/cluster-admins_patch.yaml @@ -0,0 +1,16 @@ +apiVersion: user.openshift.io/v1 +kind: Group +metadata: + name: cluster-admins + annotations: + kustomize.config.k8s.io/behavior: replace +users: +- jtriley +- larsks +- tzumainn +- chrisstafford +- knikolla +- aabaris +- naved001 +- joachimweyl +- mikthoma diff --git a/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml index d4fba761..734e77d1 100644 --- a/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml +++ b/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml @@ -9,3 +9,4 @@ resources: patches: - path: oauths/cluster_patch.yaml + - path: groups/cluster-admins_patch.yaml