
If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.
By default, once a user has signed into OpenShift, they are allowed to create new projects. This can be disabled in the following ways:
- Add projectRequestMessage to project.config.openshift.io/cluster
- Set clusterrolebindings self-provisioners subjects to null and disable auto updates (this article)
The self-provisioners Cluster Role Binding can be updated, removing the system:authenticated group, so that even after a user signs into OpenShift, by default, they will not be allowed to create new projects. Be aware that you may have similar self provisioners Cluster Role Binding, perhaps like this. You will need to edit the self-provisioners (with the "s") Cluster Role Binding.
~]$ oc get clusterrolebinding | grep -i self-provisioner
self-provisioner ClusterRole/self-provisioner 9d
self-provisioner-0 ClusterRole/self-provisioner 6d11h
self-provisioners ClusterRole/self-provisioner 646d
By default, the self-provisioners Cluster Role Binding should have something like this, where the system:authenticated group is associated with the self-provisioners Cluster Role Binding. Removing the system:authenticated group will make it so that new projects cannot be created by simply just authenticating into OpenShift.
~]$ oc describe clusterrolebinding self-provisioners
Name: self-provisioners
Labels: <none>
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: self-provisioner
Subjects:
Kind Name Namespace
---- ---- --------
Group system:authenticated:oauth
Likewise, if you display the YAML output, you can see that subjects contains the system:authenticated group.
~]$ oc get clusterrolebinding self-provisioners --output yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{"rbac.authorization.kubernetes.io/autoupdate":"true"},"managedFields":null,"name":"self-provisioners"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"self-provisioner"},"subjects":{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:authenticated:oauth"}}
rbac.authorization.kubernetes.io/autoupdate: "false"
creationTimestamp: "2021-07-16T17:15:11Z"
name: self-provisioners
resourceVersion: "330943554"
uid: fbd6c026-9f8e-4e81-a360-29208c9015c6
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: self-provisioner
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated:oauth
This one liner command can be used to update the self-provisioners Cluster Role Binding to have no Subjects.
oc patch clusterrolebinding self-provisioners --patch '{"subjects": null}'
Alos use the oc annotate command so that the self-provisioners Cluster Role Binding resource does not auto update if the master nodes are restarted.
oc annotate clusterrolebinding self-provisioners rbac.authorization.kubernetes.io/autoupdate=false --overwrite
The oc describe clusterrolebinding command should now return something like this.
- autoupdate is false
- no Subjects
~]$ oc describe clusterrolebinding self-provisioners
Name: self-provisioners
Labels: <none>
Annotations: rbac.authorization.kubernetes.io/autoupdate: false
Role:
Kind: ClusterRole
Name: self-provisioner
Subjects:
Kind Name Namespace
---- ---- --------
Let use the oc new-project to try to create a new project and something like this should be returned.
~]$ oc new-project my-project
Error from server (Forbidden): You may not request a new project via this API.
What you probably want to do is to then create a group that will be allowed to create projects.
~]$ oc adm groups new self-provisioners
group.user.openshift.io/self-provisioners created
Use oc adm policy add-cluster-role-to-group to grant the group the self-provisioners role.
~]$ oc adm policy add-cluster-role-to-group self-provisioner self-provisioners
clusterrole.rbac.authorization.k8s.io/self-provisioner added: "self-provisioners"
Then add the users to the group that you want to allow to create projects.
~]$ oc adm groups add-users self-provisioners john.doe jane.doe
group.user.openshift.io/self-provisioners added: ["john.doe" "jane.doe"]
Now when you login as a users that is a member of the self-provisioners group, something like this should be displayed.
~]$ oc login -u john.doe
Authentication required for https://api.lab001.op.thrivent.com:6443 (openshift)
Username: john.doe
Password:
Login successful.
You don't have any projects. You can try to create a new project, by running
oc new-project <projectname>
And the user should be able to create a new project.
~]$ oc new-project my-project
Now using project "my-project" on server "https://api.openshift.example.com:6443".
You can add applications to this project with the 'new-app' command. For example, try:
oc new-app rails-postgresql-example
to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:
kubectl create deployment hello-node --image=k8s.gcr.io/e2e-test-images/agnhost:2.33 -- /agnhost serve-hostname
Did you find this article helpful?
If so, consider buying me a coffee over at