当前位置：网站首页>Do280openshift access control -- manage projects and accounts

Do280openshift access control -- manage projects and accounts

2022-06-24 00:07:00 【It migrant worker brother goldfish】

DO280OpenShift Access control – Manage projects and accounts

Personal profile ： Hello everyone , I am a Brother goldfish ,CSDN New star creator in operation and maintenance field , Hua Wei Yun · Cloud sharing experts , Alicloud community · Expert bloggers
Personal qualifications ：CCNA、HCNP、CSNA（ Network Analyst ）, Soft test primary 、 Intermediate network engineer 、RHCSA、RHCE、RHCA、RHCI、ITIL
Maxim ： Hard work doesn't necessarily succeed , But if you want to succeed, you must work hard
Stand by me ： I like it 、 Can collect ️、 Leave message

List of articles

Kubetcl namespace

namespace describe

Kubernetes namespace Provides a mechanism for combining a set of related resources . stay Red Hat OpenShift In the container platform ,project It's a... With additional comments Kubernetes namespace.

namespace The following features are provided :

Name resources , To avoid basic naming conflicts ;
Grant administrative rights to trusted users ;
The ability to limit user resource consumption ;
Users and user groups are isolated .

project

project Provides a mechanism , Through this mechanism, we can manage the access of ordinary users to resources .project Allow a group of users to organize and manage their content independently of other groups , Users must be allowed access to the project . If you are allowed to create projects , Users will automatically access their projects .

Projects can have separate name、display name and description.

name Is the unique identifier of the project , In the use of CLI Tools or API Time is based on name,name The maximum length of is 63 Characters .
display name It's the project in web The way the console is displayed ( The default is name).
description It's a more detailed description of the project , And in web It's also visible in the console .

The following components apply to the project :

Object：pod、service、rc etc. ;
Policies： Rules that determine what actions a user can or cannot perform on an object ;
Constraints： The quota of each object that can be limited .

cluster management

The cluster administrator can create a project and delegate the management rights of the project to any user . stay OpenShift In the container platform , Projects are used to group and isolate related objects .

Administrators can give users access to certain items , Allow them to create their own projects , And give them permission to manage in a single project .

Administrators can apply roles to users and groups that allow or restrict their ability to create projects , Users can also be assigned roles before initial login .

Restrict project creation ： Remove from authenticated users and groups self-provisioning The cluster character , Permission to any new project will be denied .

[[email protected] ~]$ oc adm policy remove-cluster-role-from-group \
self-provisioner \
system:authenticated \
system:authenticated:oauth

Grant project creation ： The project creation grant has self- The role of the supplier and self-provisione Cluster role bound users . By default , All authenticated users can use these roles .

[[email protected] ~]$ oc adm policy add-cluster-role-to-group \
self-provisioner \
system:authenticated \
system:authenticated:oauth

establish project

If project creation rights are granted to users , You can use oc Command to create project.

[[email protected] ~]$ oc new-project demoproject \
--description="Demonstrate project creation" \
--display-name="demo_project"

OpenShift role

Role Overview

role With different levels of access and Policy , Including cluster and local strategy .user and group Can work with multiple role relation . function oc description Command to view the details of the role and its binding .

In the cluster strategy, there are cluster-admin Users in the default role can view the cluster policy and all local policies . In a given local policy, there is admin Users with default roles can be based on per-project View policy .

You can view the current cluster binding set with the following command , It shows users and groups bound to different roles .

[[email protected] ~]# oc describe clusterPolicyBindings :default

View local policy

Although the local role list and its associated rule set are not viewable in the local policy , But all default roles still apply , And can be added to users or groups ,cluster-admin Except for the default role . however , Local binding is visible .

You can view the current local binding with the following command , It shows users and groups bound to different roles .

[[email protected] ~]# oc describe policyBindings :default

By default , In the local strategy , It just lists admin Role binding . however , If you add other default roles to users and groups in the local policy , They will also be listed .

management role binding

Add or bind roles to users or groups , So as to provide users or groups with access rights granted by roles . have access to oc adm policy Command to add and remove roles between users and groups .

When using the following actions to manage user and group roles for local policies , have access to -n Option specifies the item . If not specified , Use the current project .

Common management local policy operations ：

command	describe
oc adm policy who-can verb resource	Set which users can operate on the resource
oc adm policy add-role-to-user role username	Bind the specified role to the specified user
oc adm policy remove-role-from-user role username	Remove the given role from the specified user
oc adm policy remove-user username	Delete the specified user and all its roles
oc adm policy add-role-to-group role groupname	Bind the specified role to the specified group
oc adm policy remove-role-from-group role groupname	Remove the given role from the specified group
oc adm policy remove-group groupname	Delete the specified group and all its roles

You can also use the operations management shown below cluster policy Of role binding, This kind of command doesn't need -n Options , because cluster policy be not in namespace Level operation .

Common management cluster policy operation ：

command	describe
oc adm policy add-cluster-role-to-user role username	Bind the specified roles of all projects in the cluster to the specified users
oc adm policy remove-cluster-role-from-user role username	Delete the specified role from the specified user for all items in the cluster
oc adm policy add-cluster-role-to-group role groupname	Bind the specified role to the specified group for all projects in the cluster
oc adm policy remove-cluster-role-from-group role groupname	Remove the given role from the specified group of all projects in the cluster

Tips ：oc policy Command is applied to the current project , and oc adm policy Commands are applied to cluster wide operations .

Example ： stay example In the project developer The user provides admin role .

[[email protected] ~]# oc adm policy add-role-to-user admin developer -n example
[[email protected] ~]# oc describe policybindings :default -n example #  Check the binding

Security context constraints （SCCS）

SCCS summary

OpenShift Provide security context constraints (SCCS security context constraints), It controls pod The operations it can perform and the resources it can access . By default , The execution of any container is only granted to restricted SCC Defined functions .

SCCS Relevant command ：

[[email protected] ~]$ oc get scc			                        #  List the available SCC
[[email protected] ~]$ oc describe scc scc_name		                #  Reality is specific SCC Details 
[[email protected] ~]$ oc adm policy add-scc-to-user scc_name user_name
[[email protected] ~]$ oc adm policy add-scc-to-group scc_name group_name	#  To grant a user or group specific SCC
[[email protected] ~]$ oc adm policy remove-scc-from-user scc_name user_name
[[email protected] ~]$ oc adm policy remove-scc-from-group scc_name group_name	#  From specific SCC Delete a user or group from

Service account

service account Provides a flexible way to control API visit , Without sharing the credentials of regular users . If an application needs access to restricted SCC Features not granted , You can create a new 、 specific service account And add it to the appropriate SCC in .

for example , By default ,OpenShift Deployment of applications that require elevated privileges is not supported . If there is such a need , You can create a service account, modify dc, Then add service account to SCC.

Example ： take anyuid Configured to be in the container as root User run .

[[email protected] ~]$ oc create serviceaccount useroot  #  Create a file called useroot New service account for 
[[email protected] ~]$ oc patch dc/demo-app \
--patch '{"spec":{"template":{"spec":{"serviceAccountName": "useroot"}}}}'  #  Modify the DC
[[email protected] ~]$ oc adm policy add-scc-to-user anyuid -z useroot   #  take useroot Service account added to anyuid SCC in , Run as root in the container

Web management user member

OCP The default configuration of the platform is , When a user successfully logs in for the first time , Automatically create the user object .

To manage the users who are allowed access to the project , Please log in to as project administrator or cluster administrator web Console , And select the project to manage . In the left pane , single click Resources——>membership Entry project member page .

stay Users In the column , Enter the user name in the highlighted text box . stay “ Add another character ” In the column , Select a role from the list in the user's row , And then click “ add to ”.

Insert picture description here

Cli management user member

CLI If the automatic object creation function is turned off , Cluster administrators can create new users in the following ways ：

[[email protected] ~]$ oc create user demo-user

You also need to create users in the authentication software , If HTPasswdIdentityProvider The user command is as follows ：

[[email protected] ~]$ htpasswd /etc/origin/openshift-passwd demo-user

To add project roles to users , use first oc project Command input item , And then use oc policy add-role-to-user command ：

[[email protected] ~]$ oc policy add-role-to-user edit demo-user

To remove project roles from users , Use oc policy remove-role-from-user command ：

[[email protected] ~]$ oc policy remove-role-from-user edit demo-user

Not all OpenShift Roles are defined by the project . To assign these rules , Please use oc adm policy command command .

[[email protected] ~]$ oc adm policy add-cluster-role-to-user cluster-admin admin

Authentication and Authorization

Authentication layer identification and matching OpenShift Container platform API The user whose request is associated with , The authorization layer then uses the identity information about the requesting user to determine whether the request should be allowed .

user and group

OCP The user in the container platform is a user who can communicate with OpenShift API The entity that made the request . Usually , This means that it is related to OpenShift The interaction of developer or administrator Account for .

Users can be assigned to one or more groups , Each group represents a specific set of roles ( Or permissions ). When multiple customers need to be authorized through the management authorization policy ,group It will be more appropriate . For example, allow access to objects in a project , Instead of giving it to users alone .

Authentication Tokens

API The call must use an access token or X.509 Certificate for authentication , conversation token Represent user , And it's short-term , By default, in 24 It's due in hours .

It can be run oc whoami Command to authenticate the authenticated user .

[[email protected] ~]$ oc login -u demo-user
[[email protected] ~]$ oc whoami
demo-user

Authentication type

In this environment , Authentication by HTPasswdIdentityProvider Module supply , The module depends on the use of htpasswd The file generated by the command verifies the user name and password .

OpenShift Other authentication types supported by the container platform include :

Basic Authentication (Remote)

A common back-end integration mechanism , Allows users to log in to using credentials authenticated against the remote identity provider OpenShift Container platform . Users send their user names and passwords to OpenShift Container platform ,OpenShift The platform validates these credentials through a request to the server , And take credentials as basic Auth First pass . This requires users to log in to OpenShift The container platform enters their credentials .

Request Header Authentication

The user uses the request header value ( Such as X-RemoteUser) Log in to OpenShift Container platform . It is usually used in conjunction with authentication agents , The authentication agent authenticates the user , Then through the request, the header value is OpenShift The container platform provides user identification .

Keystone Authentication

Keystone It's a OpenStack project , Provide identification 、 token 、 Directory and policy services .OpenShift Container platform and Keystone Integrate , By configuring OpenStack Keystone v3 The server stores users in an internal database , To support shared Authentication . This configuration allows users to use Keystone Certificate login OpenShift Container platform .

LDAP Authentication

Users use their LDAP Certificate login to OpenShift Container platform . During authentication ,LDAP The directory will search for entries that match the provided user name . If I find a match , Try to use the proper name of the entry (DN) Simple binding with the password provided .

GitHub Authentication

GitHub Use OAuth, It allows to be associated with OpenShift Container integration uses OAuth Authentication to facilitate token exchange flow . This allows users to use their GitHub Certificate login to OpenShift Container platform . To prevent the use of GitHub user id Is not authorized to log on to OpenShift Container platform cluster , You can limit access to specific GitHub In the organization .

Textbook exercises

Environmental preparation

[[email protected] ~]$ lab install-prepare setup
[[email protected] ~]$ cd /home/student/do280-ansible
[[email protected] do280-ansible]$ ./install.sh

Tips ： If you already have a complete environment , Don't execute .

Prepare for this exercise

[[email protected] ~]$ lab secure-resources setup

establish htpasswd Account

[[email protected] ~]$ ssh [email protected]
Last login: Tue Mar  2 19:43:11 2021 from workstation.lab.example.com
[[email protected] ~]# htpasswd -b /etc/origin/master/htpasswd user1 redhat
Adding password for user user1
[[email protected] ~]# htpasswd -b /etc/origin/master/htpasswd user2 redhat
Adding password for user user2
#  Add based on htpasswd Formal user1 and user2, The codes are redhat.

Set the strategy

[[email protected] ~]$ oc login -u admin -p redhat https://master.lab.example.com	# Log in using the Administrator 
[[email protected] ~]$ oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth

# Remove all the functions given to normal project creation , The command can refer to the command in the following directory of this environment .
[[email protected] ~]$ cat /home/student/DO280/labs/secure-resources/configure-policy.sh
#!/bin/bash
oc adm policy remove-cluster-role-from-group \
    self-provisioner system:authenticated system:authenticated:oauth

** reminder ：** Refer to the environment PDF Information 《cluster-administration》 No 10 Chapter , You can use oc describe clusterrolebinding.rbac | more Command for assistance .

Validation strategy

[[email protected] ~]$ oc login -u user1 -p redhat https://master.lab.example.com
Login successful.

You don't have any projects. Contact your system administrator to request a project.
[[email protected] ~]$ oc new-project test
Error from server (Forbidden): You may not request a new project via this API.

Create project

[[email protected] ~]$ oc login -u admin -p redhat https://master.lab.example.com
[[email protected] ~]$ oc new-project project-user1
[[email protected] ~]$ oc new-project project-user2

Connect the project with user relation

# Select project 1
[[email protected] ~]$ oc project project-user1
Now using project "project-user1" on server "https://master.lab.example.com:443".
[[email protected] ~]$ oc policy add-role-to-user admin user1		#  take user1 Add as project 1 The administrator of 
role "admin" added: "user1"
[[email protected] ~]$ oc policy add-role-to-user edit user2		#  take user2 Add as project 1 The developer of 
role "edit" added: "user2"

[[email protected] ~]$ oc project project-user2			        #  Select project 2
Now using project "project-user2" on server "https://master.lab.example.com:443".
[[email protected] ~]$ oc policy add-role-to-user edit user2		#  take user2 Add as project 2 The developer of 
role "edit" added: "user2"

Verify access

[[email protected] ~]$ oc login -u user1 -p redhat https://master.lab.example.com	#  Use user1 Sign in 
[[email protected] ~]$ oc project project-user1					#  Validation projects 1 The interview of 
Already on project "project-user1" on server "https://master.lab.example.com:443".
[[email protected] ~]$ oc project project-user2					#  Validation projects 2 The interview of 
error: You are not a member of project "project-user2".
You have one project on this server: project-user1

[[email protected] ~]$ oc login -u user2 -p redhat https://master.lab.example.com	#  Use user2 Sign in 
[[email protected] ~]$ oc project project-user1          #  Validation projects 1 The interview of 
Already on project "project-user1" on server "https://master.lab.example.com:443".	
[[email protected] ~]$ oc project project-user2          #  Validation projects 2 The interview of 
Now using project "project-user2" on server "https://master.lab.example.com:443".

Deploy privileged applications

[[email protected] ~]$ oc login -u user2 -p redhat https://master.lab.example.com
Login successful.

You have access to the following projects and can switch between them with 'oc project <projectname>':

    project-user1
  * project-user2

Using project "project-user2".

[[email protected] ~]$ oc project project-user1
Now using project "project-user1" on server "https://master.lab.example.com:443".


[[email protected] ~]$ oc new-app --name=nginx --docker-image=registry.lab.example.com/nginx:latest
--> Found Docker image c825216 (2 years old) from registry.lab.example.com for "registry.lab.example.com/nginx:latest"

    * An image stream will be created as "nginx:latest" that will track this image
    * This image will be deployed in deployment config "nginx"
    * Port 80/tcp will be load balanced by service "nginx"
    * Other containers can access this service through the hostname "nginx"
    * WARNING: Image "registry.lab.example.com/nginx:latest" runs as the 'root' user which may not be permitted by your cluster administrator
#  Use in projects 1 You don't have admin Privileged user user2 Sign in , And deploy the application , A prompt will appear .
--> Creating resources ...
    imagestream "nginx" created
    deploymentconfig "nginx" created
    service "nginx" created
--> Success
    Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:
     'oc expose svc/nginx' 
    Run 'oc status' to view your app.

Verification deployment

[[email protected] ~]$ oc get pods
NAME             READY     STATUS             RESTARTS   AGE
nginx-1-66tqq    0/1       CrashLoopBackOff   4          1m
nginx-1-deploy   1/1       Running            0          1m

Conclusion ： It can be seen from the above that , Deployment failed because container mirroring requires root user ,pod With CrashLoopBackOff Or the end of the error state .

Troubleshooting

To resolve this failure, you need to reduce the security restrictions for a specific project .

To access the runtime container with privileges , You can create a permission to pod Run by an ordinary user using an operating system service account.

The following sections need to be executed by a user with project administrator privileges , Other operations need to be performed by a user with Cluster Administrator privileges .

In this environment , Relevant operation commands can be obtained from /home/student/DO280/labs/secure-resources In folder configure-sc.sh Scripts run or copy .

[[email protected] ~]$ oc login -u user1 -p redhat https://master.lab.example.com	#  Use project 1 Of admin The account login 
[[email protected] ~]$ oc create serviceaccount useroot		  #  Create a service account 
serviceaccount "useroot" created
[[email protected] ~]$ oc login -u admin -p redhat https://master.lab.example.com	#  Log in using the Cluster Administrator 
[[email protected] ~]$ oc project project-user1			      #  Select project 1
Already on project "project-user1" on server "https://master.lab.example.com:443".
[[email protected] ~]$ oc adm policy add-scc-to-user anyuid -z useroot  #  Set up SCC Strategy 
scc "anyuid" added to: ["system:serviceaccount:project-user1:useroot"]    #  Connect the service account with anyuid Security context , This operation requires the cluster administrator user .

Insert picture description here

[[email protected] ~]$ oc login -u user2 -p redhat https://master.lab.example.com	#  Switch user2 user 
[[email protected] ~]$ oc project project-user1
Already on project "project-user1" on server "https://master.lab.example.com:443".
[[email protected] ~]$ oc patch dc nginx --patch='{"spec":{"template":{"spec":{"serviceAccountName": "useroot"}}}}'
#  You can use oc edit deploymentconfig nginx  To make changes

confirmed

[[email protected]workstation ~]$ oc get pods
NAME             READY     STATUS    RESTARTS   AGE
nginx-1-deploy   0/1       Error     0          45m
nginx-2-c2wfp    1/1       Running   0          2m

Exposure Services

[[email protected] ~]$ oc expose svc nginx 
route "nginx" exposed
[[email protected] ~]$ oc get svc
NAME      TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
nginx     ClusterIP   172.30.195.234   <none>        80/TCP    47m
[[email protected] ~]$ oc get route 
NAME      HOST/PORT                                  PATH      SERVICES   PORT      TERMINATION   WILDCARD
nginx     nginx-project-user1.apps.lab.example.com             nginx      80-tcp                  None

Test access

[[email protected] ~]$ curl http://nginx-project-user1.apps.lab.example.com
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
    
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
……………

Policy deletion Demo

# Re enable project creation for all regular users , Reset to the initial state . In this environment , Relevant operation commands can be obtained from /home/student/DO280/labs/secure-resources In folder restore-policy.sh Scripts run or copy .

[[email protected] ~]$ oc login -u admin -p redhat
[[email protected] ~]$ oc adm policy add-cluster-role-to-group self-provisioner system:authenticated system:authenticated:oauth
cluster role "self-provisioner" added: ["system:authenticated" "system:authenticated:oauth"]
[[email protected] ~]$ oc delete project project-user1
[[email protected] ~]$ oc delete project project-user2

[[email protected] ~]# htpasswd -D /etc/origin/master/htpasswd user1
[[email protected] ~]# htpasswd -D /etc/origin/master/htpasswd user2

summary

RHCA Certification requires experience 5 Study and examination of the door , It still takes a lot of time to study and prepare for the exam , Come on , Can GA 🤪.

That's all 【 Brother goldfish 】 Yes The fifth chapter DO280OpenShift Access control – Manage projects and accounts Brief introduction and explanation of . I hope it can be helpful to the little friends who see this article .

Red hat Certification Column series ：
RHCSA special column ： entertain RHCSA authentication
RHCE special column ： entertain RHCE authentication
This article is included in RHCA special column ：RHCA memoir

If this article 【 article 】 It helps you , I hope I can give 【 Brother goldfish 】 Point a praise , It's not easy to create , Compared with the official statement , I prefer to use 【 Easy to understand 】 To explain every point of knowledge with your writing .

If there is a pair of 【 Operation and maintenance technology 】 Interested in , You are welcome to pay attention to ️️️ 【 Brother goldfish 】️️️, I will bring you great 【 Harvest and surprise 】！