OpenShift 4 Hands-on Lab (9) 用户身份认证和资源访问限制

1.《OpenShift 4之增加 HTPasswd方式的身份认证》

2.《OpenShift 4 之增加管理员用户》

3.《OpenShift 4之设置用户/组对项目的访问权限》

4. 《OpenShift 4之访问权限分级授权》

5. 限制普通用户创建项目

1. 查看名为self-provisioners的RBAC。

$ oc get clusterrolebinding.rbac self-provisioners -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2019-12-12T06:53:34Z"
  name: self-provisioners
  resourceVersion: "5348"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/self-provisioners
  uid: 1d825ddb-1cac-11ea-b776-525400e21483
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: self-provisioner
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated:oauth

2. 执行命令，删除self-provisioners中的项目。然后再次查看名为self-provisioners的RBAC，确认subjects已经没有项目了。

$ oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'
clusterrolebinding.rbac.authorization.k8s.io/self-provisioners patched
$ oc get clusterrolebinding.rbac self-provisioners -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2019-12-12T06:53:34Z"
  name: self-provisioners
  resourceVersion: "230271"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/self-provisioners
  uid: 1d825ddb-1cac-11ea-b776-525400e21483
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: self-provisioner

3. 分别用集群管理员和一般用户创建项目，确认一般用户无法创建新项目，而集群管理员还可创建新项目。
4. 执行命令，编辑self-provisioners。

$ oc edit clusterrolebinding.rbac self-provisioners -o yaml```

将下面的yaml内容追加到最后，然后保存退出即可。

subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated:oauth

5. 分别用集群管理员和一般用户创建项目，确认一般用户和集群管理员都可创建新项目了。