Skip to content

Commit

Permalink
Merge pull request #1 from cloud-design-patterns-journey/ocp-rbac
Browse files Browse the repository at this point in the history 
Ocp rbac
  • Loading branch information
@NoeSamaille
NoeSamaille committed Apr 21, 2024
2 parents ec4ee8c + ad5c4c4 commit 89ad1b8
Show file tree
Hide file tree
Showing 6 changed files with 359 additions and 5 deletions.
2 changes: 1 addition & 1 deletion docs/labs/inventory-app/inventory-bff/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ The Inventory solution will use [GraphQL](https://graphql.org/) for its BFF laye
!!! note
You should have the [`tkn`](https://github.com/tektoncd/cli?tab=readme-ov-file#installing-tkn), [`tkn pac`](https://pipelinesascode.com/docs/guide/cli/#install) and `oc` CLIs installed. `oc` can be installed through the help section of your OpenShift console.

- In the OpenShift web console, click on email address top right, click on **Copy login command** and get the OpenShift login command, which includes a token.
- In the OpenShift web console, click on the user ID on the top right, click on **Copy login command** and get the OpenShift login command, which includes a token.

![OpenShift Login](../../../images/common/LoginCommand.png)

Expand Down
2 changes: 1 addition & 1 deletion docs/labs/inventory-app/inventory-service/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
!!! note
You should have the [`tkn`](https://github.com/tektoncd/cli?tab=readme-ov-file#installing-tkn), [`tkn pac`](https://pipelinesascode.com/docs/guide/cli/#install) and `oc` CLIs installed. `oc` can be installed through the help section of your OpenShift console.

- In the OpenShift web console, click on email address top right, click on **Copy login command** and get the OpenShift login command, which includes a token.
- In the OpenShift web console, click on the user ID on the top right, click on **Copy login command** and get the OpenShift login command, which includes a token.

![OpenShift Login](../../../images/common/LoginCommand.png)

Expand Down
2 changes: 1 addition & 1 deletion docs/labs/inventory-app/inventory-ui/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
!!! note
You should have the [`tkn`](https://github.com/tektoncd/cli?tab=readme-ov-file#installing-tkn), [`tkn pac`](https://pipelinesascode.com/docs/guide/cli/#install) and `oc` CLIs installed. `oc` can be installed through the help section of your OpenShift console.

- In the OpenShift web console, click on email address top right, click on **Copy login command** and get the OpenShift login command, which includes a token.
- In the OpenShift web console, click on the user ID on the top right, click on **Copy login command** and get the OpenShift login command, which includes a token.

![OpenShift Login](../../../images/common/LoginCommand.png)

Expand Down
0 docs/labs/security.md → ...labs/security/inject-k8s-secrets-vault.md
View file
File renamed without changes.
352 changes: 352 additions & 0 deletions docs/labs/security/openshift-rbac.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,352 @@
# Guided Exercise: Define and Apply Permissions with RBAC

Define role-based access controls and apply permissions to users.

## Outcomes

* Remove project creation privileges from users who are not OpenShift cluster administrators.
* Create OpenShift groups and add members to these groups.
* Create a project and assign project administration privileges to the project.
* As a project administrator, assign read and write privileges to different groups of users.

## Instructions

1. Log in to the OpenShift cluster and determine which cluster role bindings assign the `self-provisioner` cluster role.

1. Run the login command in your terminal, with the login provided to you (requires admin access):

```sh
export OCP_USER=team1 # CHANGEME
export OCP_PASSWORD=123 # CHANGEME
export OCP_SERVER=https://api.example.com:6443 # CHANGEME
oc login -u ${OCP_USER} -p ${OCP_PASSWORD} --server=${OCP_SERVER}
```
2. List all cluster role bindings that reference the `self-provisioner` cluster role.

```sh
oc get clusterrolebinding -o wide | grep -E 'ROLE|self-provisioner'
```
2. Remove the privilege to create projects from all users who are not cluster administrators by deleting the `self-provisioner` cluster role from the `system:authenticated:oauth` virtual group.

1. Confirm that the `self-provisioners` cluster role binding that you found in the previous step assigns the `self-provisioner` cluster role to the `system:authenticated:oauth` group.


```sh
oc describe clusterrolebindings self-provisioners
```
Expected output:
```
Name: self-provisioners
Labels: <none>
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: self-provisioner
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:authenticated:oauth
```
2. Remove the `self-provisioner` cluster role from the `system:authenticated:oauth` virtual group, which deletes the `self-provisioners` role binding.


```sh
oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth
```
Expected output:
```
Warning: Your changes may get lost whenever a master is restarted, unless you prevent reconciliation of this rolebinding using the following command:
oc annotate clusterrolebinding.rbac self-provisioners 'rbac.authorization.kubernetes.io/autoupdate=false' --overwrite
clusterrole.rbac.authorization.k8s.io/self-provisioner removed: "system:authenticated:oauth"
```

!!! note
You can safely ignore the warning about your changes being lost.

3. Verify that the role is removed from the group. The cluster role binding `self-provisioners` should not exist.

```sh
oc describe clusterrolebindings self-provisioners
```
Expected output:
```
Error from server (NotFound): clusterrolebindings.rbac.authorization.k8s.io "self-provisioners" not found
```

4. Determine whether any other cluster role bindings reference the `self-provisioner` cluster role.

```sh
oc get clusterrolebinding -o wide | grep -E 'ROLE|self-provisioner'
```
Expected output:
```
NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS
```
5. Log in as the `leader-${SUFFIX}` user with the `redhat` password.

```sh
export SUFFIX=${OCP_USER} # e.g. team1
oc login -u leader-${SUFFIX} -p redhat
```
Expected output:
```
Login successful.
...output omitted...
```
6. Try to create a project. The operation should fail.

```sh
oc new-project test
```
Expected output:
```
Error from server (Forbidden): You may not request a new project via this API.
```
3. Create a project and add project administration privileges to the `leader-${SUFFIX}` user.

1. Log in with your admin user:

```sh
oc login -u ${OCP_USER} -p ${OCP_PASSWORD}
```
Expected output:
```
Login successful.
...output omitted...
```
2. Create the `auth-rbac-${SUFFIX}` project.

```sh
oc new-project auth-rbac-${SUFFIX}
```
Expected output:
```
Now using project "auth-rbac-${SUFFIX}" on server "https://api.ocp4.example.com:6443".
...output omitted...
```
3. Grant project administration privileges to the `leader-${SUFFIX}` user on the `auth-rbac-${SUFFIX}` project.

```sh
oc policy add-role-to-user admin leader-${SUFFIX}
```
Expected output:
```
clusterrole.rbac.authorization.k8s.io/admin added: "leader-${SUFFIX}"
```
4. Create the `dev-group-${SUFFIX}` and `qa-group-${SUFFIX}` groups and add their respective members.

1. Create a group named `dev-group-${SUFFIX}`.

```sh
oc adm groups new dev-group-${SUFFIX}
```
Expected output:
```
group.user.openshift.io/dev-group-${SUFFIX} created
```
2. Add the `developer-${SUFFIX}` user to the group that you created in the previous step.

```sh
oc adm groups add-users dev-group-${SUFFIX} developer-${SUFFIX}
```
Expected output:
```
group.user.openshift.io/dev-group-${SUFFIX} added: "developer-${SUFFIX}"
```
3. Create a second group named `qa-group-${SUFFIX}`.

```sh
oc adm groups new qa-group-${SUFFIX}
```
Expected output:
```
group.user.openshift.io/qa-group-${SUFFIX} created
```
4. Add the `qa-engineer-${SUFFIX}` user to the group that you created in the previous step.

```sh
oc adm groups add-users qa-group-${SUFFIX} qa-engineer-${SUFFIX}
```
Expected output:
```
group.user.openshift.io/qa-group-${SUFFIX} added: "qa-engineer-${SUFFIX}"
```
5. Review all existing OpenShift groups to verify that they have the correct members.

```sh
oc get groups
```
5. As the `leader-${SUFFIX}` user, assign write privileges for `dev-group-${SUFFIX}` and read privileges for `qa-group-${SUFFIX}` to the `auth-rbac-${SUFFIX}` project.

1. Log in as the `leader-${SUFFIX}` user.

```sh
oc login -u leader-${SUFFIX} -p redhat
```
Expected output:
```
Login successful.
...output omitted...
Using project "auth-rbac-${SUFFIX}".
```
2. Add write privileges to the `dev-group-${SUFFIX}` group on the `auth-rbac-${SUFFIX}` project.

```sh
oc policy add-role-to-group edit dev-group-${SUFFIX}
```
Expected output:
```
clusterrole.rbac.authorization.k8s.io/edit added: "dev-group-${SUFFIX}"
```

3. Add read privileges to the `qa-group-${SUFFIX}` group on the `auth-rbac-${SUFFIX}` project.

```sh
oc policy add-role-to-group view qa-group-${SUFFIX}
```
Expected output:
```
clusterrole.rbac.authorization.k8s.io/view added: "qa-group-${SUFFIX}"
```
4. Review all role bindings on the `auth-rbac-${SUFFIX}` project to verify that they assign roles to the correct groups and users. The following output omits default role bindings that OpenShift assigns to service accounts.

```sh
oc get rolebindings -o wide | grep -v '^system:'
```
6. As the `developer-${SUFFIX}` user, deploy an Apache HTTP Server to prove that the `developer-${SUFFIX}` user has write privileges in the project. Also try to grant write privileges to the `qa-engineer-${SUFFIX}` user to prove that the `developer-${SUFFIX}` user has no project administration privileges.

1. Log in as the `developer-${SUFFIX}` user.

```sh
oc login -u developer-${SUFFIX} -p redhat
```
Expected output:
```
Login successful.
...output omitted...
Using project "auth-rbac-${SUFFIX}".
```
2. Deploy an Apache HTTP Server by using the standard image stream from OpenShift.

```sh
oc new-app --name httpd httpd:2.4
```
Expected output:
```
_...output omitted..._
--> Creating resources ...
imagestreamtag.image.openshift.io "httpd:2.4" created
Warning: would violate PodSecurity "restricted:v1.24": _...output omitted..._
deployment.apps "httpd" created
service "httpd" created
--> Success
_...output omitted..._
```

!!! note
It is safe to ignore pod security warnings for exercises in this course. OpenShift uses the Security Context Constraints controller to provide safe defaults for pod security.

3. Try to grant write privileges to the `qa-engineer-${SUFFIX}` user. The operation should fail.

```sh
oc policy add-role-to-user edit qa-engineer-${SUFFIX}
```
Expected output:
```
Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io is forbidden: User "developer-${SUFFIX}" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" in the namespace "auth-rbac-${SUFFIX}"
```
7. Verify that the `qa-engineer-${SUFFIX}` user can view objects in the `auth-rbac-${SUFFIX}` project, but not modify anything.

1. Log in as the `qa-engineer-${SUFFIX}` user.

```sh
oc login -u qa-engineer-${SUFFIX} -p redhat
```
Expected output:
```
Login successful.
_...output omitted..._
Using project "auth-rbac-${SUFFIX}".
```
2. Attempt to scale the `httpd` application. The operation should fail.

```sh
oc scale deployment httpd --replicas 3
```
Expected output:
```
Error from server (Forbidden): deployments.apps "httpd" is forbidden: User "qa-engineer-${SUFFIX}" cannot patch resource "deployments/scale" in API group "apps" in the namespace "auth-rbac-${SUFFIX}"
```
8. Restore project creation privileges to all users.

1. Log in with your admin user:

```sh
oc login -u ${OCP_USER} -p ${OCP_PASSWORD}
```
2. Restore project creation privileges for all users by re-creating the `self-provisioners` cluster role binding that the OpenShift installer created.

```sh
oc adm policy add-cluster-role-to-group --rolebinding-name self-provisioners self-provisioner system:authenticated:oauth
```
Expected output:
```
Warning: Group 'system:authenticated:oauth' not found
clusterrole.rbac.authorization.k8s.io/self-provisioner added: "system:authenticated:oauth"
```

!!! note
You can safely ignore the warning that the group was not found.

Congrats, you have completed the lab!
6 changes: 4 additions & 2 deletions mkdocs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,15 @@ extra_css:
nav:
- Home: index.md
- Labs:
- Security Lab: labs/security.md
- Security:
- Inject K8s secrets with Vault: labs/security/inject-k8s-secrets-vault.md
- Optional - OpenShift RBAC: labs/security/openshift-rbac.md
- Inventory App:
- Introduction: labs/inventory-app/inventory-application/index.md
- Service: labs/inventory-app/inventory-service/index.md
- BFF: labs/inventory-app/inventory-bff/index.md
- UI: labs/inventory-app/inventory-ui/index.md
# - Optional - MongoDB: labs/inventory-app/inventory-mongodb/index.md
- Optional - MongoDB: labs/inventory-app/inventory-mongodb/index.md
# - Optional - Auth with AppID: labs/inventory-app/inventory-appid/index.md
theme:
name: material
Expand Down

0 comments on commit 89ad1b8

Please sign in to comment.