[DOCS] AUTH-509 Reducing permissions for unauthenticated users for apiserver access

authentication/using-rbac.adoc

@@ -8,6 +8,8 @@ toc::[]
 
 include::modules/rbac-overview.adoc[leveloffset=+1]
 
+include::modules/unauthorized-users-cluster-role-binding.adoc[leveloffset=+1]
+
 include::modules/rbac-projects-namespaces.adoc[leveloffset=+1]
 
 include::modules/rbac-default-projects.adoc[leveloffset=+1]

cicd/builds/triggering-builds-build-hooks.adoc

@@ -35,3 +35,5 @@ include::modules/builds-build-hooks.adoc[leveloffset=+1]
 include::modules/builds-configuring-post-commit-build-hooks.adoc[leveloffset=+2]
 
 include::modules/builds-using-cli-post-commit-build-hooks.adoc[leveloffset=+2]
+
+include::modules/unauthorized-users-cluster-role-webhook.adoc[leveloffset=+2]

modules/unauthorized-users-cluster-role-binding.adoc

@@ -0,0 +1,21 @@
+// Module included in the following assemblies:
+//
+// * authentication/using-rbac.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="unauthorized-users-cluster-role-bindings_{context}"]
+= Cluster role bindings for unauthorized groups
+
+{product-title} {product-version} includes the ability to grant specific cluster role bindings to unauthorized groups in new cluster deployments. In previous {product-title} versions unauthenticated groups were included in accessing cluster role bindings. Clusters depolyed with previous {product-title} versions will still behave this way.
+
+Cluster administrators can add unauthenticated users to the following cluster role bindings:
+//xref these once decided where they go
+. `system:scope-impersonation`
+. `system:webhook`
+. `system:oauth-token-deleter`
+. `self-access-reviewer`
+
+[IMPORTANT]
+====
+Always verify compliance with your organization's security standards when modifying role bindings, particularly when including unauthenticated access.
+====

modules/unauthorized-users-cluster-role-scope-impersonation.adoc

@@ -0,0 +1,49 @@
+// Module included in the following assemblies:
+//
+// * XXX
+
+:_mod-docs-content-type: PROCEDURE
+[id="unauthorized-users-cluster-role-scope-impersonation_{context}"]
+= Adding cluster role bindings for unauthenticated groups to `system:scope-impersonation`
+
+As a cluster administrator, you can add unauthenticated users to the `system:scope-impersonation` cluster role binding in {product-title}.
+
+[IMPORTANT]
+====
+Always verify compliance with your organization's security standards when modifying role bindings, particularly when including unauthenticated access.
+====
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+* The OpenShift CLI (oc) is installed.
+
+.Procedure
+
+.Add unauthenticated groups to the `system:scope-impersonation` cluster role
+
+. Create a file named `add-scope-impersonation-unauth.yaml` and add the following content:
++
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: restore-scope-impersonation-unauth
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:scope-impersonation
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: system:unauthenticated
+----
+. Apply the configuration using the CLI:
++
+[source,bash]
+----
+oc apply -f add-scope-impersonation-unauth.yaml
+----

modules/unauthorized-users-cluster-role-webhook.adoc

@@ -0,0 +1,50 @@
+// Module included in the following assemblies:
+//
+// * cicd/builds/triggering-builds-build-hooks.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="unauthorized-users-cluster-role-webhook_{context}"]
+= Adding cluster role bindings for unauthenticated groups to `system:webhook`
+
+As a cluster administrator, you can add unauthenticated users to the `system:webhook` cluster role binding in {product-title}.
+
+[IMPORTANT]
+====
+Always verify compliance with your organization's security standards when modifying role bindings, particularly when including unauthenticated access.
+====
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+* The OpenShift CLI (oc) is installed.
+
+.Procedure
+
+.Add unauthenticated groups to the `system:webhooks` cluster role
+
+. Create a file named `add-webhooks-unauth.yaml` and add the following content:
++
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: restore-webhooks-unauth
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:webhook
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: system:unauthenticated
+----
+
+. Apply the configuration using the CLI:
++
+[source,bash]
+----
+oc apply -f add-webhooks-unauth.yaml
+----

modules/unauthorized-users-oauth-token-deleter.adoc

@@ -0,0 +1,49 @@
+// Module included in the following assemblies:
+//
+// * XXX
+
+:_mod-docs-content-type: PROCEDURE
+[id="unauthorized-users-cluster-role-oauth-token-deleter_{context}"]
+= Adding cluster role bindings for unauthenticated groups to `system:oauth-token-deleter`
+
+As a cluster administrator, you can add unauthenticated users to the `system:oauth-token-deleter` cluster role binding in {product-title}.
+
+[IMPORTANT]
+====
+Always verify compliance with your organization's security standards when modifying role bindings, particularly when including unauthenticated access.
+====
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+* The OpenShift CLI (oc) is installed.
+
+.Procedure
+
+.Add unauthenticated groups to the `system:oauth-token-deleter` cluster role
+
+. Create a file named `add-oauth-token-deletion-unauth.yaml` and add the following content:
++
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: restore-oauth-token-deleters-unauth
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:oauth-token-deleter
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: system:unauthenticated
+----
+. Apply the configuration using the CLI:
++
+[source,bash]
+----
+oc apply -f add-oauth-token-deletion-unauth.yaml
+----

modules/unauthorized-users-self-access-reviewer.adoc

@@ -0,0 +1,49 @@
+// Module included in the following assemblies:
+//
+// * XXX
+
+:_mod-docs-content-type: PROCEDURE
+[id="unauthorized-users-cluster-role-self-access-reviewer_{context}"]
+= Adding cluster role bindings for unauthenticated groups to `self-access-reviewer`
+
+As a cluster administrator, you can add unauthenticated users to the `self-access-reviewer` cluster role binding in {product-title}.
+
+[IMPORTANT]
+====
+Always verify compliance with your organization's security standards when modifying role bindings, particularly when including unauthenticated access.
+====
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+* The OpenShift CLI (oc) is installed.
+
+.Procedure
+
+.Add unauthenticated groups to the `self-access-reviewer` cluster role
+
+. Create a file named `add-self-access-review-unauth.yaml` and add the following content:
++
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: restore-self-access-reviewers-unauth
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: self-access-reviewer
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: system:unauthenticated
+----
+. Apply the configuration using the CLI:
++
+[source,bash]
+----
+oc apply -f add-self-access-review-unauth.yaml
+----