Allow Pods in One Project to Reference Images in Another Project

Mindwatering Incorporated

Author: Tripp W Black

Created: 05/20 at 12:08 PM

 

Category:
RH OpenShift
Reference

Task:
Allow Project One to reference images in another project Two.
First Project: project-one
Second Project: project-two
Existing Role: system:image-puller
New Service Account Group: project-one-imagepullgroup
New Service Account: project-one-image-puller

Notes:
- Syntax: oc policy add-role-to-user <role> <user_id> -n <project_name>
- For the namespace, either --namespace or -n
- For the command, use either oc adm policy or oc policy

Important:
- The user must exist already. OCP uses Identity Providers, which are typically a LDAP or OpenID source, and for personal development clusters, the htpasswd local OS file of users and passwords.
- Create the user in the IDP first, then add the user to the cluster to the role(s) desired.
- After the cluster installation, the kubeadmin account exists to create the first cluster-admin accounts. Use can use kubeadmin or another administrative cluster-admin account to add the user.


Steps:
1. Login:
$ oc login <https>:<myocp.mindwatering.net>:<port - e.g. 6443> -token=<token>

Note:
Or use username and password.


2. List users and roles in projects:
$ oc get rolebindings -n project-one
<review roles with users output>

$ oc get rolebindings -n project-two
<review roles with users output>

$ oc get rolebindings system:image-puller -n project-two
<review current users/groups that have the system:image-puller role>


3. Add new OpenID or LDAP system account user to new project-one-image-puller group:
$ oc adm groups new project-one-imagepullgroup

$ oc adm groups add-users project-one-imagepullgroup project-one-image-puller


4a. Give access to project-two using project-one-imagepullgroup via the service role (rolebinding) system:image-puller:
$ oc policy add-role-to-group system:image-puller project-one-imagepullgroup -n=project-two
<confirm output - e.g. clusterrole.rbac.authorization.../edit added: "project-one-image-pullgroup">

or

4b. Give access to project-two to just the new service account user:
$ oc policy add-role-to-user system:image-puller project-one-image-puller -n=project-two
<confirm output - e.g. clusterrole.rbac.authorization.../edit added: "project-one-image-puller">


previous page

×