OpenShift - Disable new Project creation using self-provisioners Cluster Role Binding

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

By default, once a user has signed into OpenShift, they are allowed to create new projects. This can be disabled in the following ways:


Issue to following command so that the self-provisioners Cluster Role Binding resource has no subjects.

oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'

 

Issue the following command so that the self-provisioners Cluster Role Binding resource does not auto update if the master nodes are restarted.

oc annotate clusterrolebinding.rbac self-provisioners 'rbac.authorization.kubernetes.io/autoupdate=false'

 

The oc describe clusterrolebinding.rbac command should now return something like this, where Subjects: contains no Kind, Name, or Namespace and autoupdate is false.

~]$ oc describe clusterrolebinding.rbac self-provisioners
Name:         self-provisioners
Labels:       <none>
Annotations:  rbac.authorization.kubernetes.io/autoupdate: false
Role:
  Kind:  ClusterRole
  Name:  self-provisioner
Subjects:
  Kind  Name  Namespace
  ----  ----  --------

 

And this one liner can be used to validate that rbac.authorization.kubernetes.io/autoupdate is false and that subjects is null.

~]$ oc get clusterrolebinding.rbac self-provisioners --output jsonpath="{.metadata.annotations.kubectl\.kubernetes\.io/last-applied-configuration}" | python -m json.tool
{
    "apiVersion": "rbac.authorization.k8s.io/v1",
    "kind": "ClusterRoleBinding",
    "metadata": {
        "annotations": {
            "rbac.authorization.kubernetes.io/autoupdate": "false"
        },
        "managedFields": null,
        "name": "self-provisioners"
    },
    "roleRef": {
        "apiGroup": "rbac.authorization.k8s.io",
        "kind": "ClusterRole",
        "name": "self-provisioner"
    },
    "subjects": null
}

 

Let use the oc new-project to try to create a new project.

oc new-project my-project

 

And something like this should be returned.

~]$ oc new-project my-project
Error from server (Forbidden): You may not request a new project via this API.

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter cdc89 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |