Bootstrap FreeKB - OpenShift - Disable new Project creation by editing the self-provisioners Cluster Role Binding
OpenShift - Disable new Project creation by editing the self-provisioners Cluster Role Binding

Updated:   |  OpenShift articles

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

By default, once a user has signed into OpenShift, they are allowed to create new projects. This can be disabled in the following ways:


The self-provisioners Cluster Role Binding can be updated, removing the system:authenticated group, so that even after a user signs into OpenShift, by default, they will not be allowed to create new projects. Be aware that you may have similar self provisioners Cluster Role Binding, perhaps like this. You will need to edit the self-provisioners (with the "s") Cluster Role Binding.

~]$ oc get clusterrolebinding | grep -i self-provisioner
self-provisioner      ClusterRole/self-provisioner    9d
self-provisioner-0    ClusterRole/self-provisioner    6d11h
self-provisioners     ClusterRole/self-provisioner    646d

 

By default, the self-provisioners Cluster Role Binding should have something like this, where the system:authenticated group is associated with the self-provisioners Cluster Role Binding. Removing the system:authenticated group will make it so that new projects cannot be created by simply just authenticating into OpenShift.

~]$ oc describe clusterrolebinding self-provisioners
Name:         self-provisioners
Labels:       <none>
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
Role:
  Kind:  ClusterRole
  Name:  self-provisioner
Subjects:
  Kind    Name                       Namespace
  ----    ----                       --------
  Group  system:authenticated:oauth

 

Likewise, if you display the YAML output, you can see that subjects contains the system:authenticated group.

~]$ oc get clusterrolebinding self-provisioners --output yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{"rbac.authorization.kubernetes.io/autoupdate":"true"},"managedFields":null,"name":"self-provisioners"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"self-provisioner"},"subjects":{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:authenticated:oauth"}}
    rbac.authorization.kubernetes.io/autoupdate: "false"
  creationTimestamp: "2021-07-16T17:15:11Z"
  name: self-provisioners
  resourceVersion: "330943554"
  uid: fbd6c026-9f8e-4e81-a360-29208c9015c6
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: self-provisioner
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated:oauth

 

This one liner command can be used to update the self-provisioners Cluster Role Binding to have no Subjects.

oc patch clusterrolebinding self-provisioners --patch '{"subjects": null}'

 

Alos use the oc annotate command so that the self-provisioners Cluster Role Binding resource does not auto update if the master nodes are restarted.

oc annotate clusterrolebinding self-provisioners rbac.authorization.kubernetes.io/autoupdate=false --overwrite

 

The oc describe clusterrolebinding command should now return something like this.

  • autoupdate is false
  • no Subjects
~]$ oc describe clusterrolebinding self-provisioners
Name:         self-provisioners
Labels:       <none>
Annotations:  rbac.authorization.kubernetes.io/autoupdate: false
Role:
  Kind:  ClusterRole
  Name:  self-provisioner
Subjects:
  Kind  Name  Namespace
  ----  ----  --------

 

Let use the oc new-project to try to create a new project and something like this should be returned.

~]$ oc new-project my-project
Error from server (Forbidden): You may not request a new project via this API.

 

What you probably want to do is to then create a group that will be allowed to create projects.

~]$ oc adm groups new self-provisioners
group.user.openshift.io/self-provisioners created

 

Use oc adm policy add-cluster-role-to-group to grant the group the self-provisioners role.

~]$ oc adm policy add-cluster-role-to-group self-provisioner self-provisioners
clusterrole.rbac.authorization.k8s.io/self-provisioner added: "self-provisioners"

 

Then add the users to the group that you want to allow to create projects.

~]$ oc adm groups add-users self-provisioners john.doe jane.doe
group.user.openshift.io/self-provisioners added: ["john.doe" "jane.doe"]

 

Now when you login as a users that is a member of the self-provisioners group, something like this should be displayed.

~]$ oc login -u john.doe
Authentication required for https://api.lab001.op.thrivent.com:6443 (openshift)
Username: john.doe
Password: 
Login successful.

You don't have any projects. You can try to create a new project, by running

    oc new-project <projectname>

 

And the user should be able to create a new project.

~]$ oc new-project my-project
Now using project "my-project" on server "https://api.openshift.example.com:6443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app rails-postgresql-example

to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=k8s.gcr.io/e2e-test-images/agnhost:2.33 -- /agnhost serve-hostname

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter b4f237 in the box below so that we can be sure you are a human.