Skip to content

Instantly share code, notes, and snippets.

@jcpowermac

jcpowermac/policy-roles.yaml

Last active December 6, 2016 21:02
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jcpowermac/4688b6b18a45f81db3f3906fa7d64c43 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jcpowermac/4688b6b18a45f81db3f3906fa7d64c43 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
policy-roles.yaml
kind: Template
apiVersion: v1
metadata:
name: "policy-roles-template"
labels:
createdBy: "policy-roles-template"
parameters:
- description: "The namespace to create roles in."
name: NAMESPACE
required: true
objects:
- apiVersion: v1
kind: Role
metadata:
creationTimestamp: null
name: view-pod-only
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods
verbs:
- get
- list
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods/log
- pods/status
verbs:
- get
- list
- apiVersion: v1
groupNames:
- system:authenticated
kind: PolicyBinding
metadata:
name: "${NAMESPACE}:default"
policyRef:
namespace: ${NAMESPACE}
- apiVersion: v1
groupNames:
- system:authenticated
kind: RoleBinding
metadata:
creationTimestamp: null
name: view-pod-only
roleRef:
name: view-pod-only
namespace: ${NAMESPACE}
subjects:
- kind: SystemAccount
name: default
namespace: ${NAMESPACE}
userNames:
- system:serviceaccount:aos-debug-container:default
Raw
results.md

Who am I logged in as?

➜  ~ oc describe policybinding -n default
Name:                                   :default
Namespace:                              default
Created:                                5 weeks ago
Labels:                                 <none>
Annotations:                            <none>
Last Modified:                          {2016-10-27 09:58:32 -0400 EDT}
Policy:                                 <none>
RoleBinding[cluster-admin]:              
                                        Role:                   cluster-admin
                                        Users:                  admin
                                        Groups:                 <none>
                                        ServiceAccounts:        <none>
                                        Subjects:               <none>
                                        ...

> $ oc whoami 
admin

To create the Role, PolicyBinding and RoleBinding

> $ oc process -f policy-roles.yaml -v NAMESPACE='aos-debug-container' | oc create -f -
role "view-pod-only" created
policybinding "aos-debug-container:default" created
rolebinding "view-pod-only" created

oc login with token on in a pod (pod has origin-clients installed)

sh-4.3$  oc login https://openshift.default.svc.cluster.local/ --certificate-authority /var/run/secrets/kubernetes.io/serviceaccount/ca.crt --token $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
Logged into "https://openshift.default.svc.cluster.local:443" as "system:serviceaccount:aos-debug-container:default" using the token provided.

What can system:serviceaccount:aos-debug-container:default now?

sh-4.3$ oc policy can-i --list
Verbs          Non-Resource URLs   Extension   Resource Names   API Groups   Resources
[create get]   []                              []               []           [buildconfigs/webhooks]
[create]       []                              []               []           [builds/custom]
[create]       []                              []               []           [builds/docker]
[create]       []                              []               []           [builds/jenkinspipeline]
[create]       []                              []               []           [builds/source]
[create]       []                              []               []           [localsubjectaccessreviews]
[create]       []                              []               []           [selfsubjectrulesreviews]
[create]       []                              []               []           [subjectaccessreviews]
[delete]       []                              []               []           [oauthaccesstokens]
[delete]       []                              []               []           [oauthauthorizetokens]
[get list]     []                              []               []           [clusterroles]
# New rules based on new role
[get list]     []                              []               []           [pods]
[get list]     []                              []               []           [pods/log]
[get list]     []                              []               []           [pods/status]
#
[get]          []                              []               []           [imagestreams/layers]
[get]          []                              [~]              []           [users]
[get]          [/api]                          []               []           []
[get]          [/api]                          []               []           []
[get]          [/api/*]                        []               []           []
[get]          [/api/*]                        []               []           []
[get]          [/apis]                         []               []           []
[get]          [/apis]                         []               []           []
[get]          [/apis/*]                       []               []           []
[get]          [/apis/*]                       []               []           []
[get]          [/healthz]                      []               []           []
[get]          [/healthz/*]                    []               []           []
[get]          [/oapi]                         []               []           []
[get]          [/oapi]                         []               []           []
[get]          [/oapi/*]                       []               []           []
[get]          [/oapi/*]                       []               []           []
[get]          [/osapi]                        []               []           []
[get]          [/osapi]                        []               []           []
[get]          [/osapi/]                       []               []           []
[get]          [/osapi/]                       []               []           []
[get]          [/version]                      []               []           []
[get]          [/version]                      []               []           []
[get]          [/version/*]                    []               []           []
[get]          [/version/*]                    []               []           []
[list watch]   []                              []               []           [projects]
[list]         []                              []               []           [projectrequests]

List pods as system:serviceaccount:aos-debug-container:default

sh-4.3$ oc get pod
NAME                          READY     STATUS      RESTARTS   AGE
aos-debug-container-1-build   0/1       Error       0          22h
aos-debug-container-2-build   0/1       Completed   0          22h
aos-debug-container-3-build   0/1       Completed   0          22h
aos-debug-container-4-build   0/1       Completed   0          21h
aos-debug-container-5-1umbx   1/1       Running     0          18h
aos-debug-container-5-build   0/1       Error       0          18h
aos-debug-container-6-build   0/1       Completed   0          18h
aos-debug-container-7-build   0/1       Completed   0          18h
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment