Lab 5.5 - Defining and Applying Permissions using RBAC

1. Log in to the cluster

oc login -u admin -p rahasia https://api.openshift.podX.io:6443

2. List all cluster role bindings that reference the self-provisioner cluster role

oc get clusterrolebinding -o wide \
  | grep -E 'NAME|self-provisioner'

3. Describe the self-provisioner cluster role

oc describe clusterrolebindings self-provisioners

4. Remove the self-provisioner cluster role

oc adm policy remove-cluster-role-from-group \
  self-provisioner system:authenticated:oauth

5. Verify that the role has been removed

oc get clusterrolebinding -o wide \
  | grep -E 'NAME|self-provisioner'
oc describe clusterrolebindings self-provisioners

6. Login as leader user

oc login -u leader -p rahasia https://api.openshift.podX.io:6443

7. Create a new project. It would fail.

oc new-project authorization-rbac

8. Login as admin user

oc login -u admin -p rahasia https://api.openshift.podX.io:6443

9. Create a new project and grant project administration privileges to the leader user.

oc new-project authorization-rbac
oc policy add-role-to-user admin leader

10. Create groups and add their respective members

oc adm groups new dev-group
oc adm groups add-users dev-group developer
oc adm groups new qa-group
oc adm groups add-users qa-group qa-engineer

11. Review all existing groups

oc get groups

12. Login as leader user.

oc login -u leader -p rahasia https://api.openshift.podX.io:6443

13. Assign write privileges for dev-group and read privileges for qa-group

oc policy add-role-to-group edit dev-group
oc policy add-role-to-group view qa-group

14. Review all role bindings

oc get rolebindings -o wide

15. As a developer user. Try to create a new app

oc login -u developer -p rahasia https://api.openshift.podX.io:6443
oc new-app https://github.com/openshift/ruby-hello-world.git#beta4
oc status
oc get pods -w

16. Try to grant write privileges to the qa-engineer user. It should fail.

oc policy add-role-to-user edit qa-engineer

17. Verify that the qa-engineer user only has read privileges

oc login -u qa-engineer -p rahasia https://api.openshift.podX.io:6443
oc get deployments
oc scale deployment ruby-hello-world --replicas 3

18. Login as admin user

oc login -u admin -p rahasia https://api.openshift.podX.io:6443

19. Restore by recreating the selfprovisioners cluster role binding

oc adm policy add-cluster-role-to-group \
 --rolebinding-name self-provisioners \
 self-provisioner system:authenticated:oauth

20. Verify

oc get clusterrolebinding -o wide \
  | grep -E 'NAME|self-provisioner'
oc describe clusterrolebindings self-provisioners

Daftar Materi