From ffffd38cb0438bf361b7ec4dc6bb2318dd1946bc Mon Sep 17 00:00:00 2001 From: NoeSamaille Date: Sun, 21 Apr 2024 17:52:36 +0200 Subject: [PATCH 1/2] Adds OpenShift RBAC Signed-off-by: NoeSamaille --- .../inject-k8s-secrets-vault.md} | 0 docs/labs/security/openshift-rbac.md | 250 ++++++++++++++++++ mkdocs.yml | 6 +- 3 files changed, 254 insertions(+), 2 deletions(-) rename docs/labs/{security.md => security/inject-k8s-secrets-vault.md} (100%) create mode 100644 docs/labs/security/openshift-rbac.md diff --git a/docs/labs/security.md b/docs/labs/security/inject-k8s-secrets-vault.md similarity index 100% rename from docs/labs/security.md rename to docs/labs/security/inject-k8s-secrets-vault.md diff --git a/docs/labs/security/openshift-rbac.md b/docs/labs/security/openshift-rbac.md new file mode 100644 index 0000000..bd1bb3a --- /dev/null +++ b/docs/labs/security/openshift-rbac.md @@ -0,0 +1,250 @@ +## Guided Exercise: Define and Apply Permissions with RBAC + +Define role-based access controls and apply permissions to users. + +**Outcomes** + +* Remove project creation privileges from users who are not OpenShift cluster administrators. + +* Create OpenShift groups and add members to these groups. + +* Create a project and assign project administration privileges to the project. + +* As a project administrator, assign read and write privileges to different groups of users. + + +As the `student` user on the `workstation` machine, use the `lab` command to prepare your system for this exercise. + +This command ensures that the cluster API is reachable and creates some HTPasswd users for the exercise. + +\[student@workstation ~\]$ **`lab start auth-rbac`** + +**Instructions** + +1. Log in to the OpenShift cluster and determine which cluster role bindings assign the `self-provisioner` cluster role. + + 1. Log in to the cluster as the `admin` user. + + \[student@workstation ~\]$ **`oc login -u admin -p redhatocp \ https://api.ocp4.example.com:6443`** + Login successful. + + _...output omitted..._ + + 2. List all cluster role bindings that reference the `self-provisioner` cluster role. + + \[student@workstation ~\]$ **`oc get clusterrolebinding -o wide | \ grep -E 'ROLE|self-provisioner'`** + NAME ROLE ... GROUPS ... + self-provisioners `ClusterRole/self-provisioner` ... `system:authenticated:oauth` + +2. Remove the privilege to create projects from all users who are not cluster administrators by deleting the `self-provisioner` cluster role from the `system:authenticated:oauth` virtual group. + + 1. Confirm that the `self-provisioners` cluster role binding that you found in the previous step assigns the `self-provisioner` cluster role to the `system:authenticated:oauth` group. + + \[student@workstation ~\]$ **`oc describe clusterrolebindings self-provisioners`** + Name: self-provisioners + Labels: + Annotations: rbac.authorization.kubernetes.io/autoupdate: true + Role: + Kind: `ClusterRole` + Name: `self-provisioner` + Subjects: + Kind Name Namespace + ---- ---- --------- + Group `system:authenticated:oauth` + + 2. Remove the `self-provisioner` cluster role from the `system:authenticated:oauth` virtual group, which deletes the `self-provisioners` role binding. + + \[student@workstation ~\]$ **`oc adm policy remove-cluster-role-from-group \ self-provisioner system:authenticated:oauth`** + Warning: Your changes may get lost whenever a master is restarted, unless you prevent reconciliation of this rolebinding using the following command: + oc annotate clusterrolebinding.rbac self-provisioners 'rbac.authorization.kubernetes.io/autoupdate=false' --overwrite + clusterrole.rbac.authorization.k8s.io/self-provisioner removed: "system:authenticated:oauth" + + ### Note + + You can safely ignore the warning about your changes being lost. + + 3. Verify that the role is removed from the group. The cluster role binding `self-provisioners` should not exist. + + \[student@workstation ~\]$ **`oc describe clusterrolebindings self-provisioners`** + Error from server (NotFound): clusterrolebindings.rbac.authorization.k8s.io "self-provisioners" not found + + 4. Determine whether any other cluster role bindings reference the `self-provisioner` cluster role. + + \[student@workstation ~\]$ **`oc get clusterrolebinding -o wide | \ grep -E 'ROLE|self-provisioner'`** + NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS + + 5. Log in as the `leader` user with the `redhat` password. + + \[student@workstation ~\]$ **`oc login -u leader -p redhat`** + Login successful. + + _...output omitted..._ + + 6. Try to create a project. The operation should fail. + + \[student@workstation ~\]$ **`oc new-project test`** + Error from server (Forbidden): You may not request a new project via this API. + +3. Create a project and add project administration privileges to the `leader` user. + + 1. Log in as the `admin` user. + + \[student@workstation ~\]$ **`oc login -u admin -p redhatocp`** + Login successful. + + _...output omitted..._ + + 2. Create the `auth-rbac` project. + + \[student@workstation ~\]$ **`oc new-project auth-rbac`** + Now using project "auth-rbac" on server "https://api.ocp4.example.com:6443". + + _...output omitted..._ + + 3. Grant project administration privileges to the `leader` user on the `auth-rbac` project. + + \[student@workstation ~\]$ **`oc policy add-role-to-user admin leader`** + clusterrole.rbac.authorization.k8s.io/admin added: "leader" + +4. Create the `dev-group` and `qa-group` groups and add their respective members. + + 1. Create a group named `dev-group`. + + \[student@workstation ~\]$ **`oc adm groups new dev-group`** + group.user.openshift.io/dev-group created + + 2. Add the `developer` user to the group that you created in the previous step. + + \[student@workstation ~\]$ **`oc adm groups add-users dev-group developer`** + group.user.openshift.io/dev-group added: "developer" + + 3. Create a second group named `qa-group`. + + \[student@workstation ~\]$ **`oc adm groups new qa-group`** + group.user.openshift.io/qa-group created + + 4. Add the `qa-engineer` user to the group that you created in the previous step. + + \[student@workstation ~\]$ **`oc adm groups add-users qa-group qa-engineer`** + group.user.openshift.io/qa-group added: "qa-engineer" + + 5. Review all existing OpenShift groups to verify that they have the correct members. + + \[student@workstation ~\]$ **`oc get groups`** + NAME USERS + Default SMB Group + admins Administrator + `dev-group developer` + developer + editors + ocpadmins Administrator + ocpdevs . developer + `qa-group qa-engineer` + + ### Note + + The lab environment already contains groups from the lab LDAP directory. + +5. As the `leader` user, assign write privileges for `dev-group` and read privileges for `qa-group` to the `auth-rbac` project. + + 1. Log in as the `leader` user. + + \[student@workstation ~\]$ **`oc login -u leader -p redhat`** + Login successful. + + _...output omitted..._ + + Using project "auth-rbac". + + 2. Add write privileges to the `dev-group` group on the `auth-rbac` project. + + \[student@workstation ~\]$ **`oc policy add-role-to-group edit dev-group`** + clusterrole.rbac.authorization.k8s.io/edit added: "dev-group" + + 3. Add read privileges to the `qa-group` group on the `auth-rbac` project. + + \[student@workstation ~\]$ **`oc policy add-role-to-group view qa-group`** + clusterrole.rbac.authorization.k8s.io/view added: "qa-group" + + 4. Review all role bindings on the `auth-rbac` project to verify that they assign roles to the correct groups and users. The following output omits default role bindings that OpenShift assigns to service accounts. + + \[student@workstation ~\]$ **`oc get rolebindings -o wide | grep -v '^system:'`** + NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS + admin ClusterRole/admin 60s admin + admin-0 ClusterRole/admin 45s leader + edit ClusterRole/edit 30s dev-group + view ClusterRole/view 15s qa-group + +6. As the `developer` user, deploy an Apache HTTP Server to prove that the `developer` user has write privileges in the project. Also try to grant write privileges to the `qa-engineer` user to prove that the `developer` user has no project administration privileges. + + 1. Log in as the `developer` user. + + \[student@workstation ~\]$ **`oc login -u developer -p developer`** + Login successful. + + _...output omitted..._ + + Using project "auth-rbac". + + 2. Deploy an Apache HTTP Server by using the standard image stream from OpenShift. + + \[student@workstation ~\]$ **`oc new-app --name httpd httpd:2.4`** + _...output omitted..._ + --> Creating resources ... + imagestreamtag.image.openshift.io "httpd:2.4" created + Warning: would violate PodSecurity "restricted:v1.24": _...output omitted..._ + deployment.apps "httpd" created + service "httpd" created + --> Success + _...output omitted..._ + + ### Note + + It is safe to ignore pod security warnings for exercises in this course. OpenShift uses the Security Context Constraints controller to provide safe defaults for pod security. + + 3. Try to grant write privileges to the `qa-engineer` user. The operation should fail. + + \[student@workstation ~\]$ **`oc policy add-role-to-user edit qa-engineer`** + Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io is forbidden: User "developer" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" in the namespace "auth-rbac" + +7. Verify that the `qa-engineer` user can view objects in the `auth-rbac` project, but not modify anything. + + 1. Log in as the `qa-engineer` user. + + \[student@workstation ~\]$ **`oc login -u qa-engineer -p redhat`** + Login successful. + + _...output omitted..._ + + Using project "auth-rbac". + + 2. Attempt to scale the `httpd` application. The operation should fail. + + \[student@workstation ~\]$ **`oc scale deployment httpd --replicas 3`** + Error from server (Forbidden): deployments.apps "httpd" is forbidden: User "qa-engineer" cannot patch resource "deployments/scale" in API group "apps" in the namespace "auth-rbac" + +8. Restore project creation privileges to all users. + + 1. Log in as the `admin` user. + + \[student@workstation ~\]$ **`oc login -u admin -p redhatocp`** + Login successful. + + _...output omitted..._ + + 2. Restore project creation privileges for all users by re-creating the `self-provisioners` cluster role binding that the OpenShift installer created. + + \[student@workstation ~\]$ **`oc adm policy add-cluster-role-to-group \ --rolebinding-name self-provisioners \ self-provisioner system:authenticated:oauth`** + Warning: Group 'system:authenticated:oauth' not found + clusterrole.rbac.authorization.k8s.io/self-provisioner added: "system:authenticated:oauth" + + ### Note + + You can safely ignore the warning that the group was not found. + + +**Finish** + +On the `workstation` machine, use the `lab` command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises. + +\[student@workstation ~\]$ **`lab finish auth-rbac`** diff --git a/mkdocs.yml b/mkdocs.yml index 42706a2..e285960 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -8,13 +8,15 @@ extra_css: nav: - Home: index.md - Labs: - - Security Lab: labs/security.md + - Security: + - Inject K8s secrets with Vault: labs/security/inject-k8s-secrets-vault.md + - Optional - OpenShift RBAC: labs/security/openshift-rbac.md - Inventory App: - Introduction: labs/inventory-app/inventory-application/index.md - Service: labs/inventory-app/inventory-service/index.md - BFF: labs/inventory-app/inventory-bff/index.md - UI: labs/inventory-app/inventory-ui/index.md - # - Optional - MongoDB: labs/inventory-app/inventory-mongodb/index.md + - Optional - MongoDB: labs/inventory-app/inventory-mongodb/index.md # - Optional - Auth with AppID: labs/inventory-app/inventory-appid/index.md theme: name: material From ad5c4c4ef614bb371b1f2b0f8162fab9459b3087 Mon Sep 17 00:00:00 2001 From: NoeSamaille Date: Sun, 21 Apr 2024 21:42:30 +0200 Subject: [PATCH 2/2] Adds OpenShift RBAC lab Signed-off-by: NoeSamaille --- .../labs/inventory-app/inventory-bff/index.md | 2 +- .../inventory-app/inventory-service/index.md | 2 +- docs/labs/inventory-app/inventory-ui/index.md | 2 +- docs/labs/security/openshift-rbac.md | 378 +++++++++++------- 4 files changed, 243 insertions(+), 141 deletions(-) diff --git a/docs/labs/inventory-app/inventory-bff/index.md b/docs/labs/inventory-app/inventory-bff/index.md index c8e6dbf..67d5e3c 100644 --- a/docs/labs/inventory-app/inventory-bff/index.md +++ b/docs/labs/inventory-app/inventory-bff/index.md @@ -27,7 +27,7 @@ The Inventory solution will use [GraphQL](https://graphql.org/) for its BFF laye !!! note You should have the [`tkn`](https://github.com/tektoncd/cli?tab=readme-ov-file#installing-tkn), [`tkn pac`](https://pipelinesascode.com/docs/guide/cli/#install) and `oc` CLIs installed. `oc` can be installed through the help section of your OpenShift console. - - In the OpenShift web console, click on email address top right, click on **Copy login command** and get the OpenShift login command, which includes a token. + - In the OpenShift web console, click on the user ID on the top right, click on **Copy login command** and get the OpenShift login command, which includes a token. ![OpenShift Login](../../../images/common/LoginCommand.png) diff --git a/docs/labs/inventory-app/inventory-service/index.md b/docs/labs/inventory-app/inventory-service/index.md index dbca8c1..98d4bbf 100644 --- a/docs/labs/inventory-app/inventory-service/index.md +++ b/docs/labs/inventory-app/inventory-service/index.md @@ -14,7 +14,7 @@ !!! note You should have the [`tkn`](https://github.com/tektoncd/cli?tab=readme-ov-file#installing-tkn), [`tkn pac`](https://pipelinesascode.com/docs/guide/cli/#install) and `oc` CLIs installed. `oc` can be installed through the help section of your OpenShift console. - - In the OpenShift web console, click on email address top right, click on **Copy login command** and get the OpenShift login command, which includes a token. + - In the OpenShift web console, click on the user ID on the top right, click on **Copy login command** and get the OpenShift login command, which includes a token. ![OpenShift Login](../../../images/common/LoginCommand.png) diff --git a/docs/labs/inventory-app/inventory-ui/index.md b/docs/labs/inventory-app/inventory-ui/index.md index 5e11696..7d00ed3 100644 --- a/docs/labs/inventory-app/inventory-ui/index.md +++ b/docs/labs/inventory-app/inventory-ui/index.md @@ -19,7 +19,7 @@ !!! note You should have the [`tkn`](https://github.com/tektoncd/cli?tab=readme-ov-file#installing-tkn), [`tkn pac`](https://pipelinesascode.com/docs/guide/cli/#install) and `oc` CLIs installed. `oc` can be installed through the help section of your OpenShift console. - - In the OpenShift web console, click on email address top right, click on **Copy login command** and get the OpenShift login command, which includes a token. + - In the OpenShift web console, click on the user ID on the top right, click on **Copy login command** and get the OpenShift login command, which includes a token. ![OpenShift Login](../../../images/common/LoginCommand.png) diff --git a/docs/labs/security/openshift-rbac.md b/docs/labs/security/openshift-rbac.md index bd1bb3a..5e4742f 100644 --- a/docs/labs/security/openshift-rbac.md +++ b/docs/labs/security/openshift-rbac.md @@ -1,194 +1,279 @@ -## Guided Exercise: Define and Apply Permissions with RBAC +# Guided Exercise: Define and Apply Permissions with RBAC Define role-based access controls and apply permissions to users. -**Outcomes** +## Outcomes * Remove project creation privileges from users who are not OpenShift cluster administrators. - * Create OpenShift groups and add members to these groups. - * Create a project and assign project administration privileges to the project. - * As a project administrator, assign read and write privileges to different groups of users. - - -As the `student` user on the `workstation` machine, use the `lab` command to prepare your system for this exercise. -This command ensures that the cluster API is reachable and creates some HTPasswd users for the exercise. - -\[student@workstation ~\]$ **`lab start auth-rbac`** - -**Instructions** +## Instructions 1. Log in to the OpenShift cluster and determine which cluster role bindings assign the `self-provisioner` cluster role. + + 1. Run the login command in your terminal, with the login provided to you (requires admin access): - 1. Log in to the cluster as the `admin` user. - - \[student@workstation ~\]$ **`oc login -u admin -p redhatocp \ https://api.ocp4.example.com:6443`** - Login successful. - - _...output omitted..._ + ```sh + export OCP_USER=team1 # CHANGEME + export OCP_PASSWORD=123 # CHANGEME + export OCP_SERVER=https://api.example.com:6443 # CHANGEME + oc login -u ${OCP_USER} -p ${OCP_PASSWORD} --server=${OCP_SERVER} + ``` 2. List all cluster role bindings that reference the `self-provisioner` cluster role. - - \[student@workstation ~\]$ **`oc get clusterrolebinding -o wide | \ grep -E 'ROLE|self-provisioner'`** - NAME ROLE ... GROUPS ... - self-provisioners `ClusterRole/self-provisioner` ... `system:authenticated:oauth` + + ```sh + oc get clusterrolebinding -o wide | grep -E 'ROLE|self-provisioner' + ``` 2. Remove the privilege to create projects from all users who are not cluster administrators by deleting the `self-provisioner` cluster role from the `system:authenticated:oauth` virtual group. 1. Confirm that the `self-provisioners` cluster role binding that you found in the previous step assigns the `self-provisioner` cluster role to the `system:authenticated:oauth` group. - \[student@workstation ~\]$ **`oc describe clusterrolebindings self-provisioners`** + + ```sh + oc describe clusterrolebindings self-provisioners + ``` + + Expected output: + ``` Name: self-provisioners Labels: Annotations: rbac.authorization.kubernetes.io/autoupdate: true Role: - Kind: `ClusterRole` - Name: `self-provisioner` + Kind: ClusterRole + Name: self-provisioner Subjects: Kind Name Namespace ---- ---- --------- - Group `system:authenticated:oauth` + Group system:authenticated:oauth + ``` 2. Remove the `self-provisioner` cluster role from the `system:authenticated:oauth` virtual group, which deletes the `self-provisioners` role binding. - \[student@workstation ~\]$ **`oc adm policy remove-cluster-role-from-group \ self-provisioner system:authenticated:oauth`** + + ```sh + oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth + ``` + + Expected output: + ``` Warning: Your changes may get lost whenever a master is restarted, unless you prevent reconciliation of this rolebinding using the following command: oc annotate clusterrolebinding.rbac self-provisioners 'rbac.authorization.kubernetes.io/autoupdate=false' --overwrite clusterrole.rbac.authorization.k8s.io/self-provisioner removed: "system:authenticated:oauth" - - ### Note - - You can safely ignore the warning about your changes being lost. + ``` + + !!! note + You can safely ignore the warning about your changes being lost. 3. Verify that the role is removed from the group. The cluster role binding `self-provisioners` should not exist. - \[student@workstation ~\]$ **`oc describe clusterrolebindings self-provisioners`** - Error from server (NotFound): clusterrolebindings.rbac.authorization.k8s.io "self-provisioners" not found + ```sh + oc describe clusterrolebindings self-provisioners + ``` + Expected output: + ``` + Error from server (NotFound): clusterrolebindings.rbac.authorization.k8s.io "self-provisioners" not found + ``` + 4. Determine whether any other cluster role bindings reference the `self-provisioner` cluster role. - \[student@workstation ~\]$ **`oc get clusterrolebinding -o wide | \ grep -E 'ROLE|self-provisioner'`** + ```sh + oc get clusterrolebinding -o wide | grep -E 'ROLE|self-provisioner' + ``` + + Expected output: + ``` NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS + ``` - 5. Log in as the `leader` user with the `redhat` password. + 5. Log in as the `leader-${SUFFIX}` user with the `redhat` password. - \[student@workstation ~\]$ **`oc login -u leader -p redhat`** - Login successful. + ```sh + export SUFFIX=${OCP_USER} # e.g. team1 + oc login -u leader-${SUFFIX} -p redhat + ``` - _...output omitted..._ + Expected output: + ``` + Login successful. + ...output omitted... + ``` 6. Try to create a project. The operation should fail. + + ```sh + oc new-project test + ``` - \[student@workstation ~\]$ **`oc new-project test`** + Expected output: + ``` Error from server (Forbidden): You may not request a new project via this API. + ``` -3. Create a project and add project administration privileges to the `leader` user. +3. Create a project and add project administration privileges to the `leader-${SUFFIX}` user. - 1. Log in as the `admin` user. + 1. Log in with your admin user: + + ```sh + oc login -u ${OCP_USER} -p ${OCP_PASSWORD} + ``` - \[student@workstation ~\]$ **`oc login -u admin -p redhatocp`** + Expected output: + ``` Login successful. + ...output omitted... + ``` - _...output omitted..._ - - 2. Create the `auth-rbac` project. + 2. Create the `auth-rbac-${SUFFIX}` project. + + ```sh + oc new-project auth-rbac-${SUFFIX} + ``` - \[student@workstation ~\]$ **`oc new-project auth-rbac`** - Now using project "auth-rbac" on server "https://api.ocp4.example.com:6443". + Expected output: + ``` + Now using project "auth-rbac-${SUFFIX}" on server "https://api.ocp4.example.com:6443". + ...output omitted... + ``` - _...output omitted..._ - - 3. Grant project administration privileges to the `leader` user on the `auth-rbac` project. + 3. Grant project administration privileges to the `leader-${SUFFIX}` user on the `auth-rbac-${SUFFIX}` project. + + ```sh + oc policy add-role-to-user admin leader-${SUFFIX} + ``` - \[student@workstation ~\]$ **`oc policy add-role-to-user admin leader`** - clusterrole.rbac.authorization.k8s.io/admin added: "leader" + Expected output: + ``` + clusterrole.rbac.authorization.k8s.io/admin added: "leader-${SUFFIX}" + ``` -4. Create the `dev-group` and `qa-group` groups and add their respective members. +4. Create the `dev-group-${SUFFIX}` and `qa-group-${SUFFIX}` groups and add their respective members. - 1. Create a group named `dev-group`. + 1. Create a group named `dev-group-${SUFFIX}`. + + ```sh + oc adm groups new dev-group-${SUFFIX} + ``` - \[student@workstation ~\]$ **`oc adm groups new dev-group`** - group.user.openshift.io/dev-group created + Expected output: + ``` + group.user.openshift.io/dev-group-${SUFFIX} created + ``` - 2. Add the `developer` user to the group that you created in the previous step. + 2. Add the `developer-${SUFFIX}` user to the group that you created in the previous step. + + ```sh + oc adm groups add-users dev-group-${SUFFIX} developer-${SUFFIX} + ``` - \[student@workstation ~\]$ **`oc adm groups add-users dev-group developer`** - group.user.openshift.io/dev-group added: "developer" + Expected output: + ``` + group.user.openshift.io/dev-group-${SUFFIX} added: "developer-${SUFFIX}" + ``` - 3. Create a second group named `qa-group`. + 3. Create a second group named `qa-group-${SUFFIX}`. + + ```sh + oc adm groups new qa-group-${SUFFIX} + ``` - \[student@workstation ~\]$ **`oc adm groups new qa-group`** - group.user.openshift.io/qa-group created + Expected output: + ``` + group.user.openshift.io/qa-group-${SUFFIX} created + ``` - 4. Add the `qa-engineer` user to the group that you created in the previous step. + 4. Add the `qa-engineer-${SUFFIX}` user to the group that you created in the previous step. + + ```sh + oc adm groups add-users qa-group-${SUFFIX} qa-engineer-${SUFFIX} + ``` - \[student@workstation ~\]$ **`oc adm groups add-users qa-group qa-engineer`** - group.user.openshift.io/qa-group added: "qa-engineer" + Expected output: + ``` + group.user.openshift.io/qa-group-${SUFFIX} added: "qa-engineer-${SUFFIX}" + ``` 5. Review all existing OpenShift groups to verify that they have the correct members. + + ```sh + oc get groups + ``` - \[student@workstation ~\]$ **`oc get groups`** - NAME USERS - Default SMB Group - admins Administrator - `dev-group developer` - developer - editors - ocpadmins Administrator - ocpdevs . developer - `qa-group qa-engineer` - - ### Note - - The lab environment already contains groups from the lab LDAP directory. - -5. As the `leader` user, assign write privileges for `dev-group` and read privileges for `qa-group` to the `auth-rbac` project. +5. As the `leader-${SUFFIX}` user, assign write privileges for `dev-group-${SUFFIX}` and read privileges for `qa-group-${SUFFIX}` to the `auth-rbac-${SUFFIX}` project. - 1. Log in as the `leader` user. + 1. Log in as the `leader-${SUFFIX}` user. + + ```sh + oc login -u leader-${SUFFIX} -p redhat + ``` - \[student@workstation ~\]$ **`oc login -u leader -p redhat`** + Expected output: + ``` Login successful. - _...output omitted..._ - - Using project "auth-rbac". - - 2. Add write privileges to the `dev-group` group on the `auth-rbac` project. + ...output omitted... - \[student@workstation ~\]$ **`oc policy add-role-to-group edit dev-group`** - clusterrole.rbac.authorization.k8s.io/edit added: "dev-group" + Using project "auth-rbac-${SUFFIX}". + ``` - 3. Add read privileges to the `qa-group` group on the `auth-rbac` project. - - \[student@workstation ~\]$ **`oc policy add-role-to-group view qa-group`** - clusterrole.rbac.authorization.k8s.io/view added: "qa-group" + 2. Add write privileges to the `dev-group-${SUFFIX}` group on the `auth-rbac-${SUFFIX}` project. + + ```sh + oc policy add-role-to-group edit dev-group-${SUFFIX} + ``` + + Expected output: + ``` + clusterrole.rbac.authorization.k8s.io/edit added: "dev-group-${SUFFIX}" + ``` + + 3. Add read privileges to the `qa-group-${SUFFIX}` group on the `auth-rbac-${SUFFIX}` project. + + ```sh + oc policy add-role-to-group view qa-group-${SUFFIX} + ``` - 4. Review all role bindings on the `auth-rbac` project to verify that they assign roles to the correct groups and users. The following output omits default role bindings that OpenShift assigns to service accounts. + Expected output: + ``` + clusterrole.rbac.authorization.k8s.io/view added: "qa-group-${SUFFIX}" + ``` - \[student@workstation ~\]$ **`oc get rolebindings -o wide | grep -v '^system:'`** - NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS - admin ClusterRole/admin 60s admin - admin-0 ClusterRole/admin 45s leader - edit ClusterRole/edit 30s dev-group - view ClusterRole/view 15s qa-group + 4. Review all role bindings on the `auth-rbac-${SUFFIX}` project to verify that they assign roles to the correct groups and users. The following output omits default role bindings that OpenShift assigns to service accounts. + + ```sh + oc get rolebindings -o wide | grep -v '^system:' + ``` -6. As the `developer` user, deploy an Apache HTTP Server to prove that the `developer` user has write privileges in the project. Also try to grant write privileges to the `qa-engineer` user to prove that the `developer` user has no project administration privileges. +6. As the `developer-${SUFFIX}` user, deploy an Apache HTTP Server to prove that the `developer-${SUFFIX}` user has write privileges in the project. Also try to grant write privileges to the `qa-engineer-${SUFFIX}` user to prove that the `developer-${SUFFIX}` user has no project administration privileges. - 1. Log in as the `developer` user. + 1. Log in as the `developer-${SUFFIX}` user. + + ```sh + oc login -u developer-${SUFFIX} -p redhat + ``` + + Expected output: + ``` - \[student@workstation ~\]$ **`oc login -u developer -p developer`** Login successful. - _...output omitted..._ + ...output omitted... - Using project "auth-rbac". + Using project "auth-rbac-${SUFFIX}". + ``` 2. Deploy an Apache HTTP Server by using the standard image stream from OpenShift. + + ```sh + oc new-app --name httpd httpd:2.4 + ``` - \[student@workstation ~\]$ **`oc new-app --name httpd httpd:2.4`** + Expected output: + ``` _...output omitted..._ --> Creating resources ... imagestreamtag.image.openshift.io "httpd:2.4" created @@ -197,54 +282,71 @@ This command ensures that the cluster API is reachable and creates some HTPasswd service "httpd" created --> Success _...output omitted..._ + ``` + + !!! note + It is safe to ignore pod security warnings for exercises in this course. OpenShift uses the Security Context Constraints controller to provide safe defaults for pod security. - ### Note - - It is safe to ignore pod security warnings for exercises in this course. OpenShift uses the Security Context Constraints controller to provide safe defaults for pod security. - - 3. Try to grant write privileges to the `qa-engineer` user. The operation should fail. + 3. Try to grant write privileges to the `qa-engineer-${SUFFIX}` user. The operation should fail. + + ```sh + oc policy add-role-to-user edit qa-engineer-${SUFFIX} + ``` - \[student@workstation ~\]$ **`oc policy add-role-to-user edit qa-engineer`** - Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io is forbidden: User "developer" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" in the namespace "auth-rbac" + Expected output: + ``` + Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io is forbidden: User "developer-${SUFFIX}" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" in the namespace "auth-rbac-${SUFFIX}" + ``` -7. Verify that the `qa-engineer` user can view objects in the `auth-rbac` project, but not modify anything. +7. Verify that the `qa-engineer-${SUFFIX}` user can view objects in the `auth-rbac-${SUFFIX}` project, but not modify anything. - 1. Log in as the `qa-engineer` user. + 1. Log in as the `qa-engineer-${SUFFIX}` user. + + ```sh + oc login -u qa-engineer-${SUFFIX} -p redhat + ``` - \[student@workstation ~\]$ **`oc login -u qa-engineer -p redhat`** + Expected output: + ``` Login successful. _...output omitted..._ - Using project "auth-rbac". + Using project "auth-rbac-${SUFFIX}". + ``` 2. Attempt to scale the `httpd` application. The operation should fail. + + ```sh + oc scale deployment httpd --replicas 3 + ``` - \[student@workstation ~\]$ **`oc scale deployment httpd --replicas 3`** - Error from server (Forbidden): deployments.apps "httpd" is forbidden: User "qa-engineer" cannot patch resource "deployments/scale" in API group "apps" in the namespace "auth-rbac" + Expected output: + ``` + Error from server (Forbidden): deployments.apps "httpd" is forbidden: User "qa-engineer-${SUFFIX}" cannot patch resource "deployments/scale" in API group "apps" in the namespace "auth-rbac-${SUFFIX}" + ``` 8. Restore project creation privileges to all users. - 1. Log in as the `admin` user. - - \[student@workstation ~\]$ **`oc login -u admin -p redhatocp`** - Login successful. - - _...output omitted..._ + 1. Log in with your admin user: + + ```sh + oc login -u ${OCP_USER} -p ${OCP_PASSWORD} + ``` 2. Restore project creation privileges for all users by re-creating the `self-provisioners` cluster role binding that the OpenShift installer created. + + ```sh + oc adm policy add-cluster-role-to-group --rolebinding-name self-provisioners self-provisioner system:authenticated:oauth + ``` - \[student@workstation ~\]$ **`oc adm policy add-cluster-role-to-group \ --rolebinding-name self-provisioners \ self-provisioner system:authenticated:oauth`** + Expected output: + ``` Warning: Group 'system:authenticated:oauth' not found clusterrole.rbac.authorization.k8s.io/self-provisioner added: "system:authenticated:oauth" - - ### Note - - You can safely ignore the warning that the group was not found. - - -**Finish** + ``` -On the `workstation` machine, use the `lab` command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises. - -\[student@workstation ~\]$ **`lab finish auth-rbac`** + !!! note + You can safely ignore the warning that the group was not found. + +Congrats, you have completed the lab!