I would love to know a good answer to this as well. Currently we create a service account called application_robot, similar to their documentation, this robot is dedicated to the appropriate namespace and is applied via the example: system:service account:default:application_robot.
Our automation rips out that users auth token and throws it in a jenkins job. This allows us to log into the exposed docker registry using that token. It’s a service account so the auth should last forever. This bypasses the need to log into openshift as you currently do. But regarding your original question, I think even my solution, the robot account still has too much permission in the namespace as I only want him to push, but thus far it gets the job done. -- John Skarbek On March 18, 2016 at 05:17:44, Lorenz Vanthillo ([email protected]<mailto:[email protected]>) wrote: Hi, We have an origin 1.1.3 environment which is running a Jenkins CI-server. In a Jenkins job we're performing the following: - authenticate in OpenShift env to get token - login into openshift docker registry - push image into registry We don't really like the part we need to authenticate in our OpenShift environment . At the moment jenkins is authenticating with a user with the cluster-admin role. But we want to create an OpenShift user who's only able to push an image to a registry. Which policiy do we have to give? We checked https://docs.openshift.com/enterprise/3.1/admin_guide/manage_authorization_policy.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.openshift.com_enterprise_3.1_admin-5Fguide_manage-5Fauthorization-5Fpolicy.html&d=CwMFAw&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=JtLLxoOmjtBEwjvZ2Hew-MxymkC4e2jlj7_LhHctUkI&s=rlQxwQo2yi9xPUsOVXqrOSU2sBkWmnSQBDlGV52HB1k&e=> There is a system:image-puller but nothing about pushing Thanks _______________________________________________ users mailing list [email protected] https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openshift.redhat.com_openshiftmm_listinfo_users&d=CwICAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=JtLLxoOmjtBEwjvZ2Hew-MxymkC4e2jlj7_LhHctUkI&s=h8nEKonV6j_PuyQ4KnoyPrscxGk5s_PWueBi031wQtw&e=
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
