You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When we create by example the infra project, our oc command is executed using the current logged user which has perhaps or not the appropriate role to create a project, configMap, serviceaccount ....
Nevertheless, if the role linked to the user is the one used, that means that he/she will be able to manage the content of the infra project. This is not an use for the admin user which is cluster wised but this is a problem for demo's users (user1, user2, ....)
To secure our platform in that case, the following parameter should be passed to the oc command when a resource is created/deleted or edited
oc --config={{ openshift.common.config_base }}/admin.kubeconfig
where {{ openshift.common.config_base }} could be : /etc/origin/master
When we create by example the
infra
project, our oc command is executed using the current logged user which has perhaps or not the appropriate role to create a project, configMap, serviceaccount ....Nevertheless, if the role linked to the user is the one used, that means that he/she will be able to manage the content of the
infra
project. This is not an use for the admin user which iscluster
wised but this is a problem for demo's users (user1, user2, ....)To secure our platform in that case, the following parameter should be passed to the
oc
command when a resource is created/deleted or editedIf we create the 'infra' project as such
then the user can't access content of infra folder
The text was updated successfully, but these errors were encountered: