Bootstrap FreeKB - OpenShift - Schedule LDAP sync using cronjob
OpenShift - Schedule LDAP sync using cronjob
Updated:   |  OpenShift articles

This assumes you have already imported one or more groups into OpenShift using LDAP sync. If not, check out my article FreeKB - OpenShift - Import Users and Groups using ldap-sync.

First and foremost, you will need to sign into OpenShift.

oc login -u admin

 

A cronjob can be used to run oc adm groups sync command on a reoccuring schedule. Almost always, this is setup in a project / namespace named ldap-sync. The oc new-project command can be used to create the ldap-sync namespace.

oc new-project ldap-sync

 

Let's say you will be creating a cronjob using the following template YAML file. 

  • Notice the cronjob is run using the ldap-sync Service Account
  • Notice the sync-config file is expected to be located at /ldap-sync/ldap-sync-config.yml in the container
  • Notice the whitelist file is expected to be located at /ldap-sync/ldap-sync-whitelist.txt in the container
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: ldap-sync
spec:
  schedule: "15,45 * * * *"       
  concurrencyPolicy: "Replace"  
  startingDeadlineSeconds: 200  
  suspend: false                
  successfulJobsHistoryLimit: 3 
  failedJobsHistoryLimit: 1     
  jobTemplate:                  
    spec:
      template:
        spec:
          restartPolicy: OnFailure         
          containers:
          - name: ldap-sync
            image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8f41914121ef8af6272e1dd020d1fe81497c9d8510ba48ce56d7309137d74b00
            command: ["oc",  "adm", "groups", "sync", "--sync-config=/ldap-sync/ldap-sync-config.yml", "--whitelist=/ldap-sync/ldap-sync-whitelist.txt", "--confirm"]
            serviceAccount: ldap-sync
            serviceAccountName: ldap-sync
            volumeMounts:
            - mountPath: /ldap-sync/
              name: config
              readOnly: true          
          volumes:
          - name: config
            secret:
              defaultMode: 420
              secretName: ldap-sync

 

 

The ldap-sync Service Account

The oc create serviceaccount command can be used to create a Service Account named ldap-sync.

oc create serviceaccount ldap-sync --namespace ldap-sync

 

Let's create a YAML file with the following markup to create a cluster role. For example, perhaps the YAML file is named ldap-group-sync.yml.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ldap-group-sync
rules:
- apiGroups:
  - user.openshift.io
  resources:
  - groups
  verbs:
  - create
  - update
  - patch
  - delete
  - get
  - list

 

The oc apply or oc create command with the -f or --filename option can be used to create a cluster role named ldap-group-sync using the template YAML file. Check out my article FreeKB - OpenShift - Create Cluster Role using a YAML template file for more details on creating a role using a template YAML file.

~]$ oc apply --filename ldap-group-sync.yml
rbac.authorization.k8s.io/ldap-group-sync created

 

The oc create clusterrolebinding command can then be used to create a Cluster Role Binding named ldap-group-sync that associates the ldap-sync Service Account to the ldap-group-sync Cluster Role in the ldap-sync namespace.

oc create clusterrolebinding ldap-group-sync --clusterrole ldap-group-sync --serviceaccount ldap-sync:ldap-sync

 

Now, the Service Account named ldap-sync in the ldap-sync namespace has the permissions listed in the ldap-group-sync Cluster Role.

The oc create secret command can be used to create a secret named ldap-sync in the ldap-sync namespace that contains the whitelist.yml file listing the Users and Groups you want to import into OpenShift from LDAP and the LDAPSyncConfig YAML file.

~]# oc create secret generic ldap-sync --from-file /path/to/whitelist.yml --from-file /path/to/config.yml --namespace ldap-sync
secret "ldap-sync" created

 

The oc apply command can be used to create the cronjob in the ldap-sync namespace.

oc apply --filename cronjob.yml --namespace ldap-sync

 

And the oc get cronjob command can be used to verify that the cronjob exists.

~]$ oc get cronjob --namespace ldap-sync
NAME              SCHEDULE             SUSPEND   ACTIVE   LAST SCHEDULE   AGE
ldap-group-sync   15,45 0,2-23 * * *   False     0        51m             364d

 

After the cronjob has run, the oc get jobs command should show the completed cronjobs.

~]$ oc get jobs --namespace ldap-sync
NAME                       COMPLETIONS   DURATION   AGE
ldap-group-sync-28729425   1/1           19s        112m
ldap-group-sync-28729455   1/1           19s        82m
ldap-group-sync-28729485   1/1           18s        52m

 

The oc get groups command can be used to list the groups in OpenShift. Be aware that this may also include groups that were added to OpenShift outside of the LDAP sync process.

~]$ oc get groups
NAME                          USERS
foo                           jack.doe jacob.doe
bar                           josh.doe jenny.doe

 

Once groups have been sync'd, the oc describe group command should have LDAP annotations.

~]$ oc describe group foo
Name:           foo
Created:        4 months ago
Labels:         openshift.io/ldap.host=ldap.example.com
Annotations:    openshift.io/ldap.sync-time=2024-02-02T09:45:06Z
                openshift.io/ldap.uid=CN=foo,OU=OpenShift,OU=Groups-O365,OU=Groups,DC=ldap,DC=example,DC=com
                openshift.io/ldap.url=ldap.example.com:636
Users:          john.doe
                jane.doe

 

Refer to this article if you want to remove Users or Groups from OpenShift that are no longer in LDAP - FreeKB - OpenShift - Remove LDAP Group using oc adm prune groups

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 6e865e in the box below so that we can be sure you are a human.