项目用户安全管理

目的

管理特定用户访问和创建工程的能力，并基于工程进行安全限制。

环境

• openshift v3.11.16/kubernetes v1.11.0

步骤

创建两个用户

# htpasswd -b /etc/origin/master/htpasswd user1 redhat
# htpasswd -b /etc/origin/master/htpasswd user2 redhat

常规用户移除创建 Project 的能力

$ oc login https://master.example.com:8443 -u admin -p admin

$ oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth

常规用户登录创建用户

$ oc login https://master.example.com:8443 -u user1 -p redhat

$ oc new-project lab04
Error from server (Forbidden): You may not request a new project via this API.

管理员用户登录创建项目

$ oc login https://master.example.com:8443 -u admin -p admin

$ oc new-project lab04-user1
$ oc new-project lab04-user2

关联用户与项目

$ oc project lab04-user1
$ oc policy add-role-to-user admin user1

$ oc policy add-role-to-user edit user2

$ oc project lab04-user2
$ oc policy add-role-to-user edit user2

测试各个项目的用户访问权限

$ oc login https://master.example.com:8443 -u user1 -p redhat
$ oc project lab04-user1
$ oc project lab04-user2
error: You are not a member of project "lab04-user2".

$ oc login https://master.example.com:8443 -u user2 -p redhat
$ oc project lab04-user2
$ oc project lab04-user1
$ oc new-app --name=nginx --docker-image=registry.example.com/rhscl/nginx-112-rhel7:latest

降低特定项目的安全性限制

$ oc login https://master.example.com:8443 -u user1 -p redhat
$ oc project lab04-user1

$ oc create serviceaccount useroot

$ oc login https://master.example.com:8443 -u admin -p admin
$ oc project lab04-user1
$ oc adm policy add-scc-to-user anyuid -z useroot
scc "anyuid" added to: ["system:serviceaccount:lab04-user1:useroot"]

$ oc login https://master.example.com:8443 -u user2 -p redhat
$ oc project lab04-user1
$ oc patch dc/nginx --patch '{"spec":{"template":{"spec":{"serviceAccountName": "useroot"}}}}'