add unauth grp restore

openshift · Apr 25, 2024 · 84042b1 · 84042b1
1 parent bf54d48
commit 84042b1
Showing 1 changed file with 163 additions and 0 deletions.
diff --git a/modules/restore-unauthenticated-group-bindings.adoc b/modules/restore-unauthenticated-group-bindings.adoc
@@ -0,0 +1,163 @@
+// Module included in the following assemblies:
+//
+// * authentication/???.adoc
+// * post_installation_configuration/???.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="restoring-bindings-unauthenticated-groups_{context}"]
+= Restoring Cluster Role Bindings for Unauthenticated Groups
+
+If you are a cluster administrator and have noticed that unauthenticated groups are not included in certain role bindings in newly created clusters, and this configuration does not meet your operational requirements, this documentation provides steps to add these groups. These instructions guide you through the process to configure your OpenShift clusters as needed.
+
+.Prerequisites
+* Ensure that you have `cluster-admin` permissions.
+* Access to the command line interface (CLI) tool `oc` is required.
+
+.Context
+With recent changes in security configurations, some cluster role bindings no longer include unauthenticated groups in new cluster deployments. This leads to an operational regression compared to previous cluster setups where such access was configured. This documentation helps in manually adding these groups back where necessary.
+
+[id="overview-of-affected-cluster-role-bindings_{context}"]
+== Overview of Affected Cluster Role Bindings
+
+In new deployments, unauthenticated groups are no longer included in cluster role bindings that would grant them the following roles:
+
+* `system:scope-impersonation`
+* `system:webhook`
+* `system:oauth-token-deleter`
+* `self-access-reviewer`
+
+[id="adding-unauthenticated-groups-to-cluster-role-bindings_{context}"]
+== Adding Unauthenticated Groups to Cluster Role Bindings
+
+To add unauthenticated groups to each of these cluster role bindings, create individual YAML files and apply them using the `oc` CLI tool. The following sections provide the YAML content and commands needed for this configuration.
+
+[NOTE]
+====
+Applying these configurations will allow unauthenticated groups to access specific resources as configured. It is essential to consider the security implications of such changes and ensure they align with your organizational security policies.
+====
+
+[IMPORTANT]
+====
+Always verify compliance with your organization's security standards when modifying role bindings, particularly when including unauthenticated access.
+====
+
+
+[id="add-scope-impersonation_{context}"]
+=== Adding Unauthenticated Groups to Scope Impersonation
+
+.Add Unauthenticated Groups to the Scope Impersonation Cluster Role
+. Create a file named `add-scope-impersonation-unauth.yaml` and add the following content:
++
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: restore-scope-impersonation-unauth
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:scope-impersonation
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:unauthenticated
+----
+. Apply the configuration:
++
+[source,bash]
+----
+oc apply -f add-scope-impersonation-unauth.yaml
+----
+
+[id="add-webhooks_{context}"]
+=== Adding Unauthenticated Groups to Webhooks
+
+.Add Unauthenticated Groups to the Webhooks Cluster Role
+. Create a file named `add-webhooks-unauth.yaml` and add the following content:
++
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: restore-webhooks-unauth
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:webhook
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:unauthenticated
+----
+. Apply the configuration:
++
+[source,bash]
+----
+oc apply -f add-webhooks-unauth.yaml
+----
+
+[id="add-oauth-token-deletion_{context}"]
+=== Adding Unauthenticated Groups to OAuth Token Deletion
+
+.Add Unauthenticated Groups to the OAuth Token Deletion Cluster Role
+. Create a file named `add-oauth-token-deletion-unauth.yaml` and add the following content:
++
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: restore-oauth-token-deleters-unauth
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:oauth-token-deleter
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:unauthenticated
+----
+. Apply the configuration:
++
+[source,bash]
+----
+oc apply -f add-oauth-token-deletion-unauth.yaml
+----
+
+[id="add-self-access-review_{context}"]
+=== Adding Unauthenticated Groups to Self Access Review Role
+
+.Add Unauthenticated Groups to `self-access-review` Cluster Role
+. Create a file named `add-self-access-review-unauth.yaml` and add the following content:
++
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: restore-self-access-reviewers-unauth
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: self-access-reviewer
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:unauthenticated
+----
+. Apply the configuration:
++
+[source,bash]
+----
+oc apply -f add-self-access-review-unauth.yaml
+----