Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
149 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,149 @@ | ||
// Module included in the following assemblies: | ||
// | ||
// * authentication/???.adoc | ||
// * post_installation_configuration/???.adoc | ||
|
||
:_mod-docs-content-type: PROCEDURE | ||
[id="restoring-bindings-unauthenticated-groups_{context}"] | ||
= Restoring Cluster Role Bindings for Unauthenticated Groups | ||
|
||
If you are a cluster administrator and have noticed that unauthenticated groups are not included in certain role bindings in newly created clusters, and this configuration does not meet your operational requirements, this documentation provides steps to add these groups. These instructions guide you through the process to configure your OpenShift clusters as needed. | ||
|
||
.Prerequisites | ||
* Ensure that you have `cluster-admin` permissions. | ||
* Access to the command line interface (CLI) tool `oc` is required. | ||
.Context | ||
With recent changes in security configurations, some cluster role bindings no longer include unauthenticated groups in new cluster deployments. This leads to an operational regression compared to previous cluster setups where such access was configured. This documentation helps in manually adding these groups back where necessary. | ||
|
||
[id="overview-of-affected-cluster-role-bindings_{context}"] | ||
== Overview of Affected Cluster Role Bindings | ||
|
||
In new deployments, unauthenticated groups are no longer included in cluster role bindings that would grant them the following roles: | ||
|
||
* `system:scope-impersonation` | ||
* `system:webhook` | ||
* `system:oauth-token-deleter` | ||
* `self-access-reviewer` | ||
|
||
[id="adding-unauthenticated-groups-to-cluster-role-bindings_{context}"] | ||
== Adding Unauthenticated Groups to Cluster Role Bindings | ||
|
||
To add unauthenticated groups to each of these cluster role bindings, create individual YAML files and apply them using the `oc` CLI tool. The following sections provide the YAML content and commands needed for this configuration. | ||
|
||
[id="add-scope-impersonation_{context}"] | ||
=== Adding Unauthenticated Groups to Scope Impersonation | ||
|
||
.Add Unauthenticated Groups to the Scope Impersonation Cluster Role Binding | ||
. Create a file named `add-scope-impersonation-unauth.yaml` and add the following content: | ||
+ | ||
[source,yaml] | ||
---- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
annotations: | ||
rbac.authorization.kubernetes.io/autoupdate: "true" | ||
name: restore-scope-impersonation-unauth | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: system:scope-impersonation | ||
subjects: | ||
- apiGroup: rbac.authorization.k8s.io | ||
kind: Group | ||
name: system:unauthenticated | ||
---- | ||
. Apply the configuration: | ||
+ | ||
[source,bash] | ||
---- | ||
oc apply -f add-scope-impersonation-unauth.yaml | ||
---- | ||
|
||
[id="add-webhooks_{context}"] | ||
=== Adding Unauthenticated Groups to Webhooks | ||
|
||
.Add Unauthenticated Groups to the Webhooks Cluster Role Binding | ||
. Create a file named `add-webhooks-unauth.yaml` and add the following content: | ||
+ | ||
[source,yaml] | ||
---- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
annotations: | ||
rbac.authorization.kubernetes.io/autoupdate: "true" | ||
name: restore-webhooks-unauth | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: system:webhook | ||
subjects: | ||
- apiGroup: rbac.authorization.k8s.io | ||
kind: Group | ||
name: system:unauthenticated | ||
---- | ||
. Apply the configuration: | ||
+ | ||
[source,bash] | ||
---- | ||
oc apply -f add-webhooks-unauth.yaml | ||
---- | ||
|
||
[id="add-oauth-token-deletion_{context}"] | ||
=== Adding Unauthenticated Groups to OAuth Token Deletion | ||
|
||
.Add Unauthenticated Groups to the OAuth Token Deletion Cluster Role Binding | ||
. Create a file named `add-oauth-token-deletion-unauth.yaml` and add the following content: | ||
+ | ||
[source,yaml] | ||
---- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
annotations: | ||
rbac.authorization.kubernetes.io/autoupdate: "true" | ||
name: restore-oauth-token-deleters-unauth | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: system:oauth-token-deleter | ||
subjects: | ||
- apiGroup: rbac.authorization.k8s.io | ||
kind: Group | ||
name: system:unauthenticated | ||
---- | ||
. Apply the configuration: | ||
+ | ||
[source,bash] | ||
---- | ||
oc apply -f add-oauth-token-deletion-unauth.yaml | ||
---- | ||
|
||
[id="add-self-access-review_{context}"] | ||
ight | ||
subjects: | ||
- kind: Group | ||
apiGroup: rbac.authorization.k8s.io | ||
name: system:authenticated | ||
- kind: Group | ||
apiGroup: rbac.authorization.k8s.io | ||
name: system:unauthenticated | ||
---- | ||
. Apply the configuration: | ||
+ | ||
[source,bash] | ||
---- | ||
oc apply -f add-self-access-review-unauth.yaml | ||
---- | ||
[NOTE] | ||
==== | ||
Applying these configurations will allow unauthenticated groups to access specific resources as configured. It is essential to consider the security implications of such changes and ensure they align with your organizational security policies. | ||
==== | ||
[IMPORTANT] | ||
==== | ||
Always verify compliance with your organization's security standards when modifying role bindings, particularly when including unauthenticated access. | ||
==== |