Just the API/swagger docs. If you do an `oc get clusterrole/admin -o yaml`, you'll have a good starting point for building your own role.
On Thu, Aug 4, 2016 at 3:16 PM, Srinivas Naga Kotaru (skotaru) < [email protected]> wrote: > Got it . Thanks you sir > > Any quick documentation I can refer to create roles and add necessary > permissions as we want? Am not sure how easy or difficult to create a > custom role and add this role to robot. > > Keeping ‘admin’ role as a back up strategy? > > -- > *Srinivas Kotaru* > > From: David Eads <[email protected]> > Date: Thursday, August 4, 2016 at 11:59 AM > > To: skotaru <[email protected]> > Cc: "[email protected]" <[email protected]> > Subject: Re: cluster-roles > > There is no pre-built role with precisely those permissions, you'd have to > create your own role based on an existing one. > > You have to assign the "admin" role to the robot, otherwise he won't be > able to add the requestor as a project-admin because it will fail an > escalation check. > > On Thu, Aug 4, 2016 at 2:42 PM, Srinivas Naga Kotaru (skotaru) < > [email protected]> wrote: > >> David >> >> Thanks for info. Am still not clear, are you saying to provide cluster >> “admin” role to robot account? My robot user/account should perform below >> jobs on all projects in the clusters >> >> >> 1. Create/modify/delete projects >> 2. Add/edit quota limits to projects ( cpu/memory etc) >> 3. Add users to projects on appropriate project roles ( >> admin/edit/view) >> >> Can u help to understand what cluster role I need to add to this robot >> user? So he has cluster wide limited admin access to perform above jobs. >> One immediate solution is to add cluster ‘admin’ but as you said we are >> little hesitated rather want to give exact roles roles required for his job. >> >> Your help is highly appreciated … >> >> -- >> *Srinivas Kotaru* >> >> From: David Eads <[email protected]> >> Date: Thursday, August 4, 2016 at 11:31 AM >> To: skotaru <[email protected]> >> Cc: "[email protected]" <[email protected]> >> Subject: Re: cluster-roles >> >> I don't think I've have my robot use the `projectrequests` endpoint. >> Instead, I'd grant my robot the power to >> >> 1. Create projects >> 2. Update namespaces >> 3. Create resourcequotas, limitranges >> 4. Bind robot to "admin" >> >> Binding the robot to "admin" seems a little bit odd, but the rules for >> binding roles to subjects require that the the binder (robot in your case) >> have at least all the permissions of the roles its binding. This prevents >> a binder from escalating privileges by granting more power to the bindee. >> >> On Thu, Aug 4, 2016 at 2:04 PM, Srinivas Naga Kotaru (skotaru) < >> [email protected]> wrote: >> >>> Hi >>> >>> We want to disable default project creation by authenticated users and >>> let it delegate to a user. All users should to go a central provision >>> system and ask for project, project quota, and provided admin/edit/viewers >>> members. Once project was created, quota’s were setup and add appropriate >>> admin/edit and viewers, authenticated user can create apps themselves. >>> Essentially we want to control initial project, quota , project members >>> >>> We don’t’ want to give cluster-admin and admin to this generic user >>> being used by orchestration system and limit its capabilities by using OSE >>> 3.x roles features. >>> >>> This is my understanding : >>> >>> oadm policy remove-cluster-role-from-group self-provisioner >>> system:authenticated >>> >>> oadm policy add-cluster-role-to-user self-provisioner <robot user> >>> >>> Questions; >>> >>> What other roles needed by robot user to setup quotas on projects, add >>> users to admin/edit and viewers to projects ?? >>> >>> oc describe clusterPolicyBindings :default command listing existing roles >>> starting system-* but not sure which roles really required to perform above >>> jobs. >>> >>> Can you help here? >>> >>> >>> >>> -- >>> *Srinivas Kotaru* >>> >>> _______________________________________________ >>> users mailing list >>> [email protected] >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> >>> >> >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
