Configuration: cluster-admin tasks

Contributors ac-ntap netapp-dorianh Download PDF of this page

The following tasks are performed by the Red Hat OpenShift cluster-admin:

  1. Log into Red Hat OpenShift cluster as the cluster-admin.

  2. Create two projects corresponding to different projects.

    oc create namespace project-1
    oc create namespace project-2
  3. Create the developer role for project-1.

    cat << EOF | oc create -f -
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      namespace: project-1
      name: developer-project-1
    rules:
      - verbs:
          - '*'
        apiGroups:
          - apps
          - batch
          - autoscaling
          - extensions
          - networking.k8s.io
          - policy
          - apps.openshift.io
          - build.openshift.io
          - image.openshift.io
          - ingress.operator.openshift.io
          - route.openshift.io
          - snapshot.storage.k8s.io
          - template.openshift.io
        resources:
          - '*'
      - verbs:
          - '*'
        apiGroups:
          - ''
        resources:
          - bindings
          - configmaps
          - endpoints
          - events
          - persistentvolumeclaims
          - pods
          - pods/log
          - pods/attach
          - podtemplates
          - replicationcontrollers
          - services
          - limitranges
          - namespaces
          - componentstatuses
          - nodes
      - verbs:
          - '*'
        apiGroups:
          - trident.netapp.io
        resources:
          - tridentsnapshots
    EOF
The role definition provided in this section is just an example. Developer role must be defined based on the end-user requirements.
  1. Similarly, create developer roles for project-2.

  2. All OpenShift and NetApp storage resources are usually managed by a storage admin. Access for storage administrators is controlled by the trident operator role that is created when Trident is installed. In addition to this, the storage admin also requires access to ResourceQuotas to control how storage is consumed.

  3. Create a role for managing ResourceQuotas in all projects in the cluster to attach it to storage admin:

    cat << EOF | oc create -f -
    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: resource-quotas-role
    rules:
      - verbs:
          - '*'
        apiGroups:
          - ''
        resources:
          - resourcequotas
      - verbs:
          - '*'
        apiGroups:
          - quota.openshift.io
        resources:
          - '*'
    EOF
  4. Make sure that the cluster is integrated with the organization’s identity provider and that user groups are sync’d with cluster groups. The following example shows that the identity provider has been integrated with the cluster and sync’d with the user groups.

$ oc get groups
NAME                        USERS
ocp-netapp-storage-admins   ocp-netapp-storage-admin
ocp-project-1               ocp-project-1-user
ocp-project-2               ocp-project-2-user
  1. Configure ClusterRoleBindings for storage admins.

    cat << EOF | oc create -f -
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: netapp-storage-admin-trident-operator
    subjects:
      - kind: Group
        apiGroup: rbac.authorization.k8s.io
        name: ocp-netapp-storage-admins
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: trident-operator
    ---
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: netapp-storage-admin-resource-quotas-cr
    subjects:
      - kind: Group
        apiGroup: rbac.authorization.k8s.io
        name: ocp-netapp-storage-admins
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: resource-quotas-role
    EOF
For storage admins, two roles must be bound – trident-operator and resource-quotas roles.
  1. Create RoleBindings for developers binding the developer-project-1 role to the corresponding group (ocp-project-1) in project-1.

    cat << EOF | oc create -f -
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: project-1-developer
      namespace: project-1
    subjects:
      - kind: Group
        apiGroup: rbac.authorization.k8s.io
        name: ocp-project-1
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: developer-project-1
    EOF
  1. Similarly, create RoleBindings for developers binding the developer roles to the corresponding user group in project-2.