Openshift RBAC for Network Admin
Openshif RBAC for Network Admin⌗
In order for a network admin to manage the NetworkPolicy objects in a cluster, they will need a set of extended rules. This ruleset will allow the network admin to see all the projects and namespaces, along with a view only on the pods and services within each projects to allow them to configure the appropriate rules.
A brief list of what the Network Admins will be able to do:
list
and get
on:
- Namespaces
- Projects
- Pods
- Services
- Endpoints
- Networkpolicies
create
, delete
and patch
on:
- Networkpolicies
This is done by creating a new ClusterRole
First, create the network-admin ClusterRole yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
name: network-admin
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- apiGroups:
- ""
- project.openshift.io
resources:
- projects
verbs:
- get
- list
- apiGroups:
- ""
resources:
- endpoints
- pods
- services
- services/status
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- edit
- delete
- patch
- create
- apiGroups:
- extensions
resources:
- networkpolicies
verbs:
- get
- list
- watch
- edit
- delete
- patch
- create
Then create this ClusterRole
# oc create -f network-admin.yaml
clusterrole.rbac.authorization.k8s.io/network-admin created
Once this is created, Network Admin users can have this ClusterRole added to them
# oc adm policy add-cluster-role-to-user network-admin user2
clusterrole.rbac.authorization.k8s.io/network-admin added: "user2"
Alternatively, if there is a group for the Network Admins, this ClusterRole can be applied to the group.
# oc adm policy add-cluster-role-to-group network-admin network-admins-group
clusterrole.rbac.authorization.k8s.io/network-admin added: "network-admins-group"
Read other posts
Comments