Skip to content

Commit

Permalink
Configure RBAC for cluster admin access
Browse files Browse the repository at this point in the history
Grant members of the `cluster-admins` group both `cluster-reader` and
`sudoer` access. This permits members of this group to see most
cluster resources, and to impersonate other users, including the
`system:admin` user for full cluster-admin access.

From the command line, you can use the `--as` option to impersonate
the admin user:

   oc --as system:admin create ns example
  • Loading branch information
larsks committed Jun 18, 2022
1 parent b603b61 commit 3a63cab
Show file tree
Hide file tree
Showing 10 changed files with 65 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admins-nerc-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: cluster-admins
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- clusterrolebinding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admins-nerc-sudoer
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: sudoer
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: cluster-admins
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- clusterrolebinding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: user.openshift.io/v1
kind: Group
metadata:
name: cluster-admins
users: []
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- group.yaml
6 changes: 6 additions & 0 deletions cluster-scope/bundles/cluster-admin-rbac/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-sudoer
- ../../base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-reader
- ../../base/user.openshift.io/groups/cluster-admins
1 change: 1 addition & 0 deletions cluster-scope/overlays/common/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@ resources:
- ../../base/operators.coreos.com/subscriptions/external-secrets-operator
- ../../base/config.openshift.io/oauths/cluster
- ../../base/rbac.authorization.k8s.io/clusterrolebindings/self-provisioners
- ../../bundles/cluster-admin-rbac/
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: user.openshift.io/v1
kind: Group
metadata:
name: cluster-admins
annotations:
kustomize.config.k8s.io/behavior: replace
users:
- jtriley
- larsks
- tzumainn
- chrisstafford
- knikolla
- aabaris
- naved001
- joachimweyl
- mikthoma
1 change: 1 addition & 0 deletions cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,4 @@ resources:

patches:
- path: oauths/cluster_patch.yaml
- path: groups/cluster-admins_patch.yaml

0 comments on commit 3a63cab

Please sign in to comment.