Skip to content

Instantly share code, notes, and snippets.

@sub-mod

sub-mod/steps.md

Last active October 15, 2018 21:39
Show Gist options
  • Save sub-mod/87500b67599712e09f470a37e53b50e7 to your computer and use it in GitHub Desktop.
Save sub-mod/87500b67599712e09f470a37e53b50e7 to your computer and use it in GitHub Desktop.
Download ZIP
Create CRD Object as Project-admin in Openshift
Raw
steps.md

CRD and ClusterRole Both need cluster-admin

Create a CRD ...just the definition as cluster-admin

cat >> crd.yaml << EOF
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: crontabs.stable.example.com
spec:
  group: stable.example.com
  version: v1
  scope: Namespaced
  names:
    plural: crontabs
    singular: crontab
    kind: CronTab
    shortNames:
    - ct
EOF

Create a Cluster-role We use a feature called Aggregated clusteroles to let a project-admin create CRD Object. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles

cat >> cluster-role.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: cron-operator-admin1
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
  - stable.example.com
  resources:
  - crontabs
  verbs:
  - "get"
  - "delete"
  - "watch"
  - "list"
  - "update"
  - "patch"
  - "create"
EOF

oc login -u system:admin

$ oc create -f cluster-role.yaml 
clusterrole.rbac.authorization.k8s.io "cron-operator-admin1" created

$ oc create -f crd.yaml 
customresourcedefinition.apiextensions.k8s.io "crontabs.stable.example.com" created

CRD Objects can be now created by project-admin

$ oc login -u developer -p developer

Just to confirm developer is not cluster-admin.I will try to remove the policy on the user.

oc adm policy remove-cluster-role-from-user cluster-admin smodeel

cat >> crd-instance.yaml << EOF
apiVersion: stable.example.com/v1
kind: CronTab
metadata:
  name: my-new-cron-object
spec:
  cronSpec: "* * * * /5"
  image: my-awesome-cron-image
EOF

Now the user can create/get/delete the CRD Object.

$ oc create -f crd-instance.yaml 
crontab.stable.example.com "my-new-cron-object" created

$ oc get crontab.stable.example.com
NAME                 AGE
my-new-cron-object   4s

$ oc delete crontab.stable.example.com my-new-cron-object
crontab.stable.example.com "my-new-cron-object" deleted

====================

Errata ignore

cat >> cluster-role1.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: crontab-resource-admin
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - "get"
  - "delete"
  - "watch"
  - "list"
  - "update"
  - "patch"
  - "create"
EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment