Red Hat Certified Specialist in OpenShift Administration exam Notes Part 3

Raymond Keckler | January 12, 2021 | Containers, Kubernetes, OpenShift | No Comments

Control Access to Resources

Openshift have predefined roles but what if you want to create your own role? You can create your own custom roles based on your needs. In order to do this you need to know

Role name
Verb
Resource
Project name (if not cluster wide)

The Role name is your own definition. Verb is get, list, create, update, delete, deletecollection or watch. You can get the resource with

oc api-resources --verbs=list

example to create a local and cluster role

oc create role <name> --verb=<verb> --resource=<resource> -n <project>
oc create clusterrole <name> --verb=<verb> --resource=<resource>

Viewing of the role or clusterrole

oc describe rolebinding.rbac -n <project>
oc describe clusterrolebinding.rbac

Once the custom role is create you can then assign the role to a group. Because the group have the users assigned that require the role. See Part 2 of this series for assigning roles to groups and users.

If you want to see who can do what you can do

oc adm policy who-can <verb> <resource>
oc adm policy who-can create projects

Creating and applying secrets to a project. Secrets are used for a variety of things. We can use a secret to pull an image from a private repository or for use in connecting to a database. The best way to create secrets or any other resource is to create a yaml file with all fields listed. Secrets in yaml files need to have their data put in base64.

apiVersion: v1
kind: Secret
metadata: 
  name: mysecret
type: Opaque
data:
  username: <base64 data>
  password: <base64 data>

oc create -f secret.yaml -n <project>

You can add the secret to the you image by modifying the pod spec in the pod yaml file.

apiVersion: v1
kind: Pod
metadata: 
  name: secret-pod
  namespace: secret-project
spec:
  containers:
    - name: secret-container
    image: busybox
    command: [ "/bin/sh", "-c", "export" ]
    env:
      - name: Secret-test-env
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username

There are three default service accounts for each project

default
deploy
build

A service account can be used as a user. Many connections outside of OpenShift uses service accounts. Such as setting up Kubernetes authentication to Hashicorp Vault. This is best handled with a service account. You assign roles to service accounts just like users and groups.

oc get sa -n <project>
oc create  sa <servce-account-name> -n <project>
oc describe sa <servce-account-name> -n <project>
oc adm policy add-role-to-user <role> system:serviceaccount:<project>:<service-account-name>

Tags:kubernetes, OpenShift, Red Hat

Related Posts

About The Author

Ray