diff --git a/modules/builds-disabling-build-strategy-globally.adoc b/modules/builds-disabling-build-strategy-globally.adoc index 6480bc0570a1..49f212da758e 100644 --- a/modules/builds-disabling-build-strategy-globally.adoc +++ b/modules/builds-disabling-build-strategy-globally.adoc @@ -15,32 +15,8 @@ To prevent access to a particular build strategy globally, log in as a user with + [source,terminal] ---- -$ oc edit clusterrolebinding system:build-strategy-docker-binding +$ oc annotate clusterrolebinding.rbac system:build-strategy-docker-binding 'rbac.authorization.kubernetes.io/autoupdate=false' --overwrite ---- -+ -.Example output -[source,yaml] ----- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "false" <1> - creationTimestamp: 2018-08-10T01:24:14Z - name: system:build-strategy-docker-binding - resourceVersion: "225" - selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/system%3Abuild-strategy-docker-binding - uid: 17b1f3d4-9c3c-11e8-be62-0800277d20bf -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:build-strategy-docker -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated ----- -<1> Change the `rbac.authorization.kubernetes.io/autoupdate` annotation's value to `"false"`. . Remove the role: + @@ -49,45 +25,14 @@ subjects: $ oc adm policy remove-cluster-role-from-group system:build-strategy-docker system:authenticated ---- -. Ensure the build strategy subresources are also removed from these roles: +. Ensure the build strategy subresources are also removed from the `admin` and `edit` user roles: + [source,terminal] ---- -$ oc edit clusterrole admin +$ oc get clusterrole admin -o yaml | grep "builds/docker" ---- + [source,terminal] ---- -$ oc edit clusterrole edit ----- - -. For each role, specify the subresources that correspond to the resource of the strategy to disable. - -.. Disable the docker Build Strategy for *admin*: -+ -[source,yaml] ----- -kind: ClusterRole -metadata: - name: admin -... -- apiGroups: - - "" - - build.openshift.io - resources: - - buildconfigs - - buildconfigs/webhooks - - builds/custom <1> - - builds/source - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -... +$ oc get clusterrole edit -o yaml | grep "builds/docker" ---- -<1> Add `builds/custom` and `builds/source` to disable docker builds globally for users with the *admin* role.