Red Hat Certified Specialist in OpenShift Administration exam Notes Part 2

| January 11, 2021 | Containers, Kubernetes, OpenShift | No Comments

Manage Users and Policies

Create a HTPasswd file for the openshift-config project. You can add users to the htpasswd file to give authentication into OpenShift. 

htpasswd -c -B -b </path/htpasswd_file> <user> <password>

The ‘-c’ creates the htpasswd file. The -B ensure you use bcrypt. The ‘-b’ allows you to put the password in the line. If you don’t (best practice) it will ask you for the password. After the htpasswd file is created, you can then create a secret in openshift-config project to use for authentication.

oc create secret generic htpass-secret --from-file=htpasswd=</path/htpasswd_file> -n openshift-config

Notice the from-file argument. You must tell OpenShift it is an htpasswd file type.

So how do you go about adding someone to the HTPasswd Identity Provider in OpenShift. You will have to extract the htpasswd secret from the openshift-config project. Add the user to the htpasswd file that was extracted. Then replace the htpasswd secret with the new htpasswd file. get cialis online prescription in dallas

oc get secret -n openshift-config
oc extract secret/htpass-secret --to - -n openshift-config > htpasswd_file
htpasswd -B -b htpasswd_file <username> <password>
oc create secret generic htpass-secret --from-file=htpasswd_file --dry-run -o yaml -n openshift-config | oc replace -f -

That last line has a lot to it. It creates a secret htpass-secret. Using dry-run ensures it does not do anything to OpenShift. It outputs the result to a yaml file. You should do the command and see the output and how it is setup. It passes the yaml file to the oc command to replace the secret. Now the new user is added. You can verify by getting the identities and logging in with the user.

oc get identity
oc login -u <username>
oc get users

Modifing the users password is the same as creating a new user. You extract the htpasswd secret. The htpasswd command will update the password in the file. You replace the htpasswd secret.

Several roles are setup in OpenShift. These roles are admin, basic-user, cluster-admin, cluster-status, edit, self-provisioner, and view. You can assign the roles with the ‘oc adm policy’ statement. You use several policies depending on what you need.

  • add-role-to-user
  • add-role-to-group
  • add-cluster-role-to-user
oc adm policy add-role-to-user <role> <user> -n <project>
oc adm policy add-role-to-group <role> <group> -n <project>
oc describe rolebinding.rbac -n <project>
oc adm policy add-cluster-role-to-user cluster-admin <user>
oc adm policy remove-role-to-user <role> <user> -n <project>
oc adm policy remove-role-to-group <role> <group> -n <project>
oc describe rolebinding.rbac -n <project>
oc adm policy remove-cluster-role-to-user cluster-admin <user>

CRC comes with developer and kubeadmin. The user developer is in the htpasswd secrets file. the kubeadmin user is in a secret in the kube-system project. The kubeadmin can be deleted from kube-system project

oc delete secrets kubeadmin -n kube-system

It is best to organize users around groups. Create groups with the roles and permissions needed for the group to do the job. OpenShift comes with some default virtual groups.

  • system:authenticated
  • system:authenticated:oauth
  • system:unauthenticated
oc adm groups new <group>
oc adm groups new <group> <user>
oc adm groups add-users <group> <user1> <user2> ...
oc adm groups remove-users <group <user1> <user2> ...
Tags:, ,

Related Posts

About The Author

Ray