You can create any role you want. You could also look to see if the new `registry-editor` clusterrole does what you want.
On Tue, Mar 22, 2016 at 9:06 AM, Skarbek, John <[email protected]> wrote: > I now remember why I didn’t use this role. The image-pusher doesn’t have > the ability to also create an image stream. Hence my use of the edit role. > If there were a policy strictly for creating image streams I could possibly > combine that and the image pusher into a role that works for my use case. > > > > -- > John Skarbek > > On March 18, 2016 at 08:10:52, David Eads ([email protected]) wrote: > > We created `system:image-pusher` back in 1.1.1 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openshift_origin_releases_tag_v1.1.1&d=CwMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=4Sk3h1f1z-7Fa4ULTLgX5gxQIPjIfUqp9Cuk3363ROk&s=NLILdrGCvaLKwYCYusb_DBYKfWwPh6uKEtDcZZCujAc&e=> > with https://github.com/openshift/origin/pull/5962 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openshift_origin_pull_5962&d=CwMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=4Sk3h1f1z-7Fa4ULTLgX5gxQIPjIfUqp9Cuk3363ROk&s=wKQ4AoqV3j8QCmC0eME8PR8a8XcMz7auoSxSypnMGxo&e=>. > Check to make sure that your policy is up to date: `oadm policy > reconcile-cluster-roles`. By default that makes no changes. If you > approve of the changes it wants to make, you can use `--confirm`. > > On Fri, Mar 18, 2016 at 7:17 AM, Skarbek, John <[email protected]> > wrote: > >> I would love to know a good answer to this as well. >> >> Currently we create a service account called application_robot, similar >> to their documentation, this robot is dedicated to the appropriate >> namespace and is applied via the example: system:service >> account:default:application_robot. >> >> Our automation rips out that users auth token and throws it in a jenkins >> job. This allows us to log into the exposed docker registry using that >> token. It’s a service account so the auth should last forever. This >> bypasses the need to log into openshift as you currently do. >> >> But regarding your original question, I think even my solution, the robot >> account still has too much permission in the namespace as I only want him >> to push, but thus far it gets the job done. >> >> >> -- >> John Skarbek >> >> On March 18, 2016 at 05:17:44, Lorenz Vanthillo ( >> [email protected]) wrote: >> >> Hi, >> >> We have an origin 1.1.3 environment which is running a Jenkins CI-server. >> In a Jenkins job we're performing the following: >> >> - authenticate in OpenShift env to get token >> - login into openshift docker registry >> - push image into registry >> >> We don't really like the part we need to authenticate in our OpenShift >> environment . >> At the moment jenkins is authenticating with a user with the >> cluster-admin role. >> But we want to create an OpenShift user who's only able to push an image >> to a registry. >> Which policiy do we have to give? >> >> We checked >> https://docs.openshift.com/enterprise/3.1/admin_guide/manage_authorization_policy.html >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.openshift.com_enterprise_3.1_admin-5Fguide_manage-5Fauthorization-5Fpolicy.html&d=CwMFAw&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=JtLLxoOmjtBEwjvZ2Hew-MxymkC4e2jlj7_LhHctUkI&s=rlQxwQo2yi9xPUsOVXqrOSU2sBkWmnSQBDlGV52HB1k&e=> >> There is a system:image-puller but nothing about pushing >> >> Thanks >> _______________________________________________ >> users mailing list >> [email protected] >> >> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openshift.redhat.com_openshiftmm_listinfo_users&d=CwICAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=JtLLxoOmjtBEwjvZ2Hew-MxymkC4e2jlj7_LhHctUkI&s=h8nEKonV6j_PuyQ4KnoyPrscxGk5s_PWueBi031wQtw&e= >> >> >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openshift.redhat.com_openshiftmm_listinfo_users&d=CwMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=4Sk3h1f1z-7Fa4ULTLgX5gxQIPjIfUqp9Cuk3363ROk&s=QVTPNjsFTy2tHPVgHas-rqUkU6UOZCP4goS6gzeZlb4&e=> >> >> >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
