Thanks, we have the policy. We were searching in the documentation for it 
because the layout of the ' oc describe clusterPolicy default' command isn't 
that clear. The documentation isn't up to date about it but it's in our 
OpenShift:
https://docs.openshift.org/latest/admin_guide/manage_authorization_policy.html


Thanks you.

Date: Fri, 18 Mar 2016 08:10:43 -0400
Subject: Re: policy for openshift user who can only push to openshift registry.
From: [email protected]
To: [email protected]
CC: [email protected]; [email protected]

We created `system:image-pusher` back in 1.1.1 with 
https://github.com/openshift/origin/pull/5962.  Check to make sure that your 
policy is up to date: `oadm policy reconcile-cluster-roles`.  By default that 
makes no changes.  If you approve of the changes it wants to make, you can use 
`--confirm`.
On Fri, Mar 18, 2016 at 7:17 AM, Skarbek, John <[email protected]> wrote:







I would love to know a good answer to this as well.

Currently we create a service account called application_robot, similar to 
their documentation, this robot is dedicated to the appropriate namespace and 
is applied via the example:
system:service account:default:application_robot.

Our automation rips out that users auth token and throws it in a jenkins job. 
This allows us to log into the exposed docker registry using that token. It’s a 
service account so the auth should last forever. This bypasses the need to log 
into openshift as
 you currently do.

But regarding your original question, I think even my solution, the robot 
account still has too much permission in the namespace as I only want him to 
push, but thus far it gets the job done.












-- 

John Skarbek



On March 18, 2016 at 05:17:44, Lorenz Vanthillo ([email protected]) 
wrote:






Hi,



We have an origin 1.1.3 environment which is running a Jenkins CI-server.

In a Jenkins job we're performing the following:



- authenticate in OpenShift env to get token

- login into openshift docker registry

- push image into registry



We don't really like the part we need to authenticate in our OpenShift 
environment .

At the moment jenkins is authenticating with a user with the cluster-admin role.

But we want to create an OpenShift user who's only able to push an image to a 
registry.

Which policiy do we have to give?



We checked 
https://docs.openshift.com/enterprise/3.1/admin_guide/manage_authorization_policy.html

There is a system:image-puller but nothing about pushing



Thanks


_______________________________________________ 

users mailing list 

[email protected] 

https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openshift.redhat.com_openshiftmm_listinfo_users&d=CwICAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=JtLLxoOmjtBEwjvZ2Hew-MxymkC4e2jlj7_LhHctUkI&s=h8nEKonV6j_PuyQ4KnoyPrscxGk5s_PWueBi031wQtw&e=













_______________________________________________

users mailing list

[email protected]

http://lists.openshift.redhat.com/openshiftmm/listinfo/users



                                          
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Reply via email to