RBAC for Namespaces

⏱️ Estimated Time: 5 Minutes

👨‍💻 Role: Cluster Administrator

Verify Namespace Access

At this point, you’ve successfully created two Namespaces by synchronising resources using Argo CD. Verify that you can access them:

  1. Login to the OpenShift Web Console.

  2. Select the Administrator perspective.

  3. Scroll down and find the Home > Projects section using the side-menu.

    A Project in OpenShift is a Kubernetes Namespace with some extra annotations. For all intents and purposes, you can treat an OpenShift "Project" as analogous to a "Namespace" during this workshop.

  4. Find the project-memes-dev Namespace as shown.

    ex4.openshift ui meme projects

Great! Now try doing the same thing again, but as a user without the cluster-admin role:

  1. Log out of the OpenShift Web Console by clicking your username in the top-right corner, and clicking the Log out link that appears.

  2. From the OpenShift login screen select the standard-users provider, then login using:

    • Username: foo

    • Password: foopassword

  3. You should be redirected to the OpenShift Web Console. The Developer Perspective will be displayed by default.

  4. Dismiss the guided tour popup that appears.

  5. Click the Project dropdown, and note that the foo user is unable to see any projects!

ex4.openshift ui foo no projects

Configure User RBAC for Namespaces

You’ll need to grant some permissions to the user named foo so they can interact with the Namespace you just created. You can grant roles to users for a specific Namespace using a RoleBinding CR:

  1. Open your copy of the workshop GitHub repository (github.com/%USERID%/rht-summit-2023-gitops-cluster-mgmt), and open the GitHub editor using the period/dot shortcut key.

  2. Create a file named role.yaml in the managed-namespaces/overlays/project-memes-dev directory, and add the following content to the file:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: memes-dev-editors
      namespace: project-memes-dev
    roleRef:
      # The role being bound. In this case we're re-using the existing
      # edit role that's defined at cluster scope
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: edit
    subjects:
      # Make user "foo" a subject of this role, thus granting
      # them edit access in the project-memes-dev namespace
      - kind: User
        name: foo
        namespace: project-memes-dev
  3. Update managed-namespaces/overlays/project-memes-dev/kustomization.yaml file to reference the new role.yaml file:

    bases:
    - ../../base
    - role.yaml
  4. The resulting files should look like this:

    ex4.github ide role namespace
  5. Commit and push the change using the Source Control section of the GitHub editor.

  6. Return to the Argo CD dashboard and wait for the managed-namespaces project to synchronise, or use the Refresh button to trigger a Git pull and synchronisation.

Once the synchronisation is complete, the foo user should be able to view and interact with the project-memes-dev Namespace:

ex4.openshift ui foo edit dev

Summary

Congratulations! In this module you learned how to:

  • Use Kustomize to create resources from YAML templates.

  • Create Argo CD Applications directly from the terminal using kubectl/oc.

  • Grant permissions to the Argo CD Service Account.

  • Manage user permissions using Roles and RoleBindings, synchronised via Argo CD.