You should be modifying `Roles` and `RoleBindings`, not the `Policies`
directly.  Those exist for auditing capabilities.

On Fri, Mar 18, 2016 at 9:08 AM, Lorenz Vanthillo <
[email protected]> wrote:

> Thanks, we have the policy. We were searching in the documentation for it
> because the layout of the ' oc describe clusterPolicy default' command
> isn't that clear. The documentation isn't up to date about it but it's in
> our OpenShift:
>
> https://docs.openshift.org/latest/admin_guide/manage_authorization_policy.html
>
>
> Thanks you.
>
> ------------------------------
> Date: Fri, 18 Mar 2016 08:10:43 -0400
> Subject: Re: policy for openshift user who can only push to openshift
> registry.
> From: [email protected]
> To: [email protected]
> CC: [email protected]; [email protected]
>
>
> We created `system:image-pusher` back in 1.1.1
> <https://github.com/openshift/origin/releases/tag/v1.1.1> with
> https://github.com/openshift/origin/pull/5962.  Check to make sure that
> your policy is up to date: `oadm policy reconcile-cluster-roles`.  By
> default that makes no changes.  If you approve of the changes it wants to
> make, you can use `--confirm`.
>
> On Fri, Mar 18, 2016 at 7:17 AM, Skarbek, John <[email protected]>
> wrote:
>
> I would love to know a good answer to this as well.
> Currently we create a service account called application_robot, similar
> to their documentation, this robot is dedicated to the appropriate
> namespace and is applied via the example: system:service
> account:default:application_robot.
> Our automation rips out that users auth token and throws it in a jenkins
> job. This allows us to log into the exposed docker registry using that
> token. It’s a service account so the auth should last forever. This
> bypasses the need to log into openshift as you currently do.
> But regarding your original question, I think even my solution, the robot
> account still has too much permission in the namespace as I only want him
> to push, but thus far it gets the job done.
>
>
>
> --
> John Skarbek
>
> On March 18, 2016 at 05:17:44, Lorenz Vanthillo (
> [email protected]) wrote:
>
> Hi,
>
> We have an origin 1.1.3 environment which is running a Jenkins CI-server.
> In a Jenkins job we're performing the following:
>
> - authenticate in OpenShift env to get token
> - login into openshift docker registry
> - push image into registry
>
> We don't really like the part we need to authenticate in our OpenShift
> environment .
> At the moment jenkins is authenticating with a user with the cluster-admin
> role.
> But we want to create an OpenShift user who's only able to push an image
> to a registry.
> Which policiy do we have to give?
>
> We checked
> https://docs.openshift.com/enterprise/3.1/admin_guide/manage_authorization_policy.html
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.openshift.com_enterprise_3.1_admin-5Fguide_manage-5Fauthorization-5Fpolicy.html&d=CwMFAw&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=JtLLxoOmjtBEwjvZ2Hew-MxymkC4e2jlj7_LhHctUkI&s=rlQxwQo2yi9xPUsOVXqrOSU2sBkWmnSQBDlGV52HB1k&e=>
> There is a system:image-puller but nothing about pushing
>
> Thanks
> _______________________________________________
> users mailing list
> [email protected]
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openshift.redhat.com_openshiftmm_listinfo_users&d=CwICAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=JtLLxoOmjtBEwjvZ2Hew-MxymkC4e2jlj7_LhHctUkI&s=h8nEKonV6j_PuyQ4KnoyPrscxGk5s_PWueBi031wQtw&e=
>
>
>
> _______________________________________________
> users mailing list
> [email protected]
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
>
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Reply via email to