From 5030d96caaac59d425645dcd6854d1f96d752164 Mon Sep 17 00:00:00 2001 From: John Collier Date: Fri, 20 Jun 2025 17:36:26 -0400 Subject: [PATCH 1/3] Manage user authorization via GitOps Signed-off-by: John Collier --- authorization/README.md | 9 +++++++++ authorization/kustomization.yaml | 7 +++++++ authorization/redhat-ai-dev-edit.yaml | 12 ++++++++++++ authorization/redhat-ai-dev-users.yaml | 21 +++++++++++++++++++++ 4 files changed, 49 insertions(+) create mode 100644 authorization/README.md create mode 100644 authorization/kustomization.yaml create mode 100644 authorization/redhat-ai-dev-edit.yaml create mode 100644 authorization/redhat-ai-dev-users.yaml diff --git a/authorization/README.md b/authorization/README.md new file mode 100644 index 0000000..8b25d6a --- /dev/null +++ b/authorization/README.md @@ -0,0 +1,9 @@ +# authorization + +> [!IMPORTANT] +> Before adding a new group or rolebinding to the cluster, you **must** reach out to one of the cluster admins on Slack first. + +> [!NOTE] +> Adding your username to one of the `Group`s managed by this ArgoCD application does **not** create your username or grant access to the cluster. You must already have a user account on the cluster in order for these role bindings to take effect. + +Membership in the `redhat-ai-dev-users` `Group` on the cluster grants cluster-wide `edit` permissions. Additional permissions can be configured via additional `Group` and `RoleBinding` resources. \ No newline at end of file diff --git a/authorization/kustomization.yaml b/authorization/kustomization.yaml new file mode 100644 index 0000000..824b2cd --- /dev/null +++ b/authorization/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - redhat-ai-dev-edit.yaml + - redhat-ai-dev-users.yaml + +namespace: open-webui diff --git a/authorization/redhat-ai-dev-edit.yaml b/authorization/redhat-ai-dev-edit.yaml new file mode 100644 index 0000000..432e0b6 --- /dev/null +++ b/authorization/redhat-ai-dev-edit.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: redhat-ai-dev-edit +subjects: + - kind: Group + apiGroup: rbac.authorization.k8s.io + name: redhat-ai-dev-users +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit diff --git a/authorization/redhat-ai-dev-users.yaml b/authorization/redhat-ai-dev-users.yaml new file mode 100644 index 0000000..d954453 --- /dev/null +++ b/authorization/redhat-ai-dev-users.yaml @@ -0,0 +1,21 @@ +# This group provides cluster-wide edit access on the redhat-ai-dev team OpenShift cluster. +# Your user *must* already exist on the cluster before adding it to this list +kind: Group +apiVersion: user.openshift.io/v1 +metadata: + name: redhat-ai-dev-users +users: + - yangcao77 + - michael-valdron + - maysunfaisal + - elsony + - thepetk + - benwilcock + - jdubrick + - mfaisal + - yangcao + - mvaldron + - tpetkos + - gmontero + - jrichter + - karthik From ab01a60f0aaeb336374a3b53ff3daec94a165484 Mon Sep 17 00:00:00 2001 From: John Collier Date: Mon, 23 Jun 2025 14:54:22 -0400 Subject: [PATCH 2/3] Clean up RBAC Signed-off-by: John Collier --- authorization/README.md | 2 +- authorization/kustomization.yaml | 6 +++--- ...-dev-users.yaml => redhat-ai-dev-edit-users.yaml} | 12 ++++-------- authorization/redhat-ai-dev-view-users.yaml | 6 ++++++ authorization/redhat-ai-dev-view.yaml | 12 ++++++++++++ 5 files changed, 26 insertions(+), 12 deletions(-) rename authorization/{redhat-ai-dev-users.yaml => redhat-ai-dev-edit-users.yaml} (56%) create mode 100644 authorization/redhat-ai-dev-view-users.yaml create mode 100644 authorization/redhat-ai-dev-view.yaml diff --git a/authorization/README.md b/authorization/README.md index 8b25d6a..fb016db 100644 --- a/authorization/README.md +++ b/authorization/README.md @@ -4,6 +4,6 @@ > Before adding a new group or rolebinding to the cluster, you **must** reach out to one of the cluster admins on Slack first. > [!NOTE] -> Adding your username to one of the `Group`s managed by this ArgoCD application does **not** create your username or grant access to the cluster. You must already have a user account on the cluster in order for these role bindings to take effect. +> Adding your username to one of the `Group`s managed by this ArgoCD application does **not** create your username or grant access to the cluster. You must already have an internal SSO login in order for these role bindings to take effect. Membership in the `redhat-ai-dev-users` `Group` on the cluster grants cluster-wide `edit` permissions. Additional permissions can be configured via additional `Group` and `RoleBinding` resources. \ No newline at end of file diff --git a/authorization/kustomization.yaml b/authorization/kustomization.yaml index 824b2cd..4b056e0 100644 --- a/authorization/kustomization.yaml +++ b/authorization/kustomization.yaml @@ -2,6 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - redhat-ai-dev-edit.yaml - - redhat-ai-dev-users.yaml - -namespace: open-webui + - redhat-ai-dev-edit-users.yaml + - redhat-ai-dev-view.yaml + - redhat-ai-dev-view-users.yaml diff --git a/authorization/redhat-ai-dev-users.yaml b/authorization/redhat-ai-dev-edit-users.yaml similarity index 56% rename from authorization/redhat-ai-dev-users.yaml rename to authorization/redhat-ai-dev-edit-users.yaml index d954453..4935ad7 100644 --- a/authorization/redhat-ai-dev-users.yaml +++ b/authorization/redhat-ai-dev-edit-users.yaml @@ -1,16 +1,11 @@ # This group provides cluster-wide edit access on the redhat-ai-dev team OpenShift cluster. -# Your user *must* already exist on the cluster before adding it to this list +# This does *not* create your user on the cluster, you **must** have an internal SSO account to log on kind: Group apiVersion: user.openshift.io/v1 metadata: - name: redhat-ai-dev-users + name: redhat-ai-dev-edit-users users: - - yangcao77 - - michael-valdron - - maysunfaisal - - elsony - - thepetk - - benwilcock + - bwilcock - jdubrick - mfaisal - yangcao @@ -19,3 +14,4 @@ users: - gmontero - jrichter - karthik + - eyuen diff --git a/authorization/redhat-ai-dev-view-users.yaml b/authorization/redhat-ai-dev-view-users.yaml new file mode 100644 index 0000000..74ef1da --- /dev/null +++ b/authorization/redhat-ai-dev-view-users.yaml @@ -0,0 +1,6 @@ +# This group provides cluster-wide view access on the redhat-ai-dev team OpenShift cluster. +# This does *not* create your user on the cluster, you **must** have an internal SSO account to log on +kind: Group +apiVersion: user.openshift.io/v1 +metadata: + name: redhat-ai-dev-view-users \ No newline at end of file diff --git a/authorization/redhat-ai-dev-view.yaml b/authorization/redhat-ai-dev-view.yaml new file mode 100644 index 0000000..ec90636 --- /dev/null +++ b/authorization/redhat-ai-dev-view.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: redhat-ai-dev-view +subjects: + - kind: Group + apiGroup: rbac.authorization.k8s.io + name: redhat-ai-dev-users +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view From cb2956e4d5ab8ac8717da179f51ddec537bb094a Mon Sep 17 00:00:00 2001 From: John Collier Date: Wed, 25 Jun 2025 11:31:04 -0400 Subject: [PATCH 3/3] Update authorization/README.md Co-authored-by: Theofanis Petkos --- authorization/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authorization/README.md b/authorization/README.md index fb016db..0115044 100644 --- a/authorization/README.md +++ b/authorization/README.md @@ -1,7 +1,7 @@ # authorization > [!IMPORTANT] -> Before adding a new group or rolebinding to the cluster, you **must** reach out to one of the cluster admins on Slack first. +> Before adding a new group or rolebinding to the cluster, you **must** reach out to the cluster admins on Slack first (handle: `rhdh-cluster-admins`). > [!NOTE] > Adding your username to one of the `Group`s managed by this ArgoCD application does **not** create your username or grant access to the cluster. You must already have an internal SSO login in order for these role bindings to take effect.