Configuration: cluster-admin tasks
Suggest changes
PDFs
The following tasks are performed by the Red Hat OpenShift cluster-admin:
-
Log into Red Hat OpenShift cluster as the cluster-admin.
-
Create two projects corresponding to different projects.
oc create namespace project-1 oc create namespace project-2 -
Create the developer role for project-1.
cat << EOF | oc create -f - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: project-1 name: developer-project-1 rules: - verbs: - '*' apiGroups: - apps - batch - autoscaling - extensions - networking.k8s.io - policy - apps.openshift.io - build.openshift.io - image.openshift.io - ingress.operator.openshift.io - route.openshift.io - snapshot.storage.k8s.io - template.openshift.io resources: - '*' - verbs: - '*' apiGroups: - '' resources: - bindings - configmaps - endpoints - events - persistentvolumeclaims - pods - pods/log - pods/attach - podtemplates - replicationcontrollers - services - limitranges - namespaces - componentstatuses - nodes - verbs: - '*' apiGroups: - trident.netapp.io resources: - tridentsnapshots EOF
|
The role definition provided in this section is just an example. Developer roles must be defined based on end-user requirements. |
-
Similarly, create developer roles for project-2.
-
All OpenShift and NetApp storage resources are usually managed by a storage admin. Access for storage administrators is controlled by the trident operator role that is created when Trident is installed. In addition to this, the storage admin also requires access to ResourceQuotas to control how storage is consumed.
-
Create a role for managing ResourceQuotas in all projects in the cluster to attach it to storage admin.
cat << EOF | oc create -f - kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: resource-quotas-role rules: - verbs: - '*' apiGroups: - '' resources: - resourcequotas - verbs: - '*' apiGroups: - quota.openshift.io resources: - '*' EOF -
Make sure that the cluster is integrated with the organization’s identity provider and that user groups are synchronized with cluster groups. The following example shows that the identity provider has been integrated with the cluster and synchronized with the user groups.
$ oc get groups NAME USERS ocp-netapp-storage-admins ocp-netapp-storage-admin ocp-project-1 ocp-project-1-user ocp-project-2 ocp-project-2-user
-
Configure ClusterRoleBindings for storage admins.
cat << EOF | oc create -f - kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: netapp-storage-admin-trident-operator subjects: - kind: Group apiGroup: rbac.authorization.k8s.io name: ocp-netapp-storage-admins roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: trident-operator --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: netapp-storage-admin-resource-quotas-cr subjects: - kind: Group apiGroup: rbac.authorization.k8s.io name: ocp-netapp-storage-admins roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: resource-quotas-role EOF
|
|
For storage admins, two roles must be bound: trident-operator and resource-quotas. |
-
Create RoleBindings for developers binding the developer-project-1 role to the corresponding group (ocp-project-1) in project-1.
cat << EOF | oc create -f - kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: project-1-developer namespace: project-1 subjects: - kind: Group apiGroup: rbac.authorization.k8s.io name: ocp-project-1 roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: developer-project-1 EOF
-
Similarly, create RoleBindings for developers binding the developer roles to the corresponding user group in project-2.