Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

conjur-authenticator rolebinding requires elevated privileges to create #11

Open
jodyhuntatx opened this issue Aug 3, 2018 · 2 comments
Open

conjur-authenticator rolebinding requires elevated privileges to create #11

jodyhuntatx opened this issue Aug 3, 2018 · 2 comments
Labels
component/k8s kind/enhancement

Comments

@jodyhuntatx
Copy link
Contributor

jodyhuntatx commented Aug 3, 2018
edited
Loading

$ oc whoami
developer

$ oc get clusterrolebindings
Error from server (Forbidden): clusterrolebindings.authorization.openshift.io is forbidden: User "developer" cannot list clusterrolebindings.authorization.openshift.io at the cluster scope: User "developer" cannot list all clusterrolebindings.authorization.openshift.io in the cluster

$ ./3_create_test_app_namespace.sh

  • set -euo pipefail

  • . utils.sh
    ++ PLATFORM=openshift
    ++ '[' openshift = kubernetes ']'
    ++ '[' openshift = openshift ']'
    ++ cli=oc

  • announce 'Creating Test App namespace.'

  • echo ++++++++++++++++++++++++++++++++++++++
    ++++++++++++++++++++++++++++++++++++++

  • echo ''

  • echo 'Creating Test App namespace.'
    Creating Test App namespace.

  • echo ''

  • echo ++++++++++++++++++++++++++++++++++++++
    ++++++++++++++++++++++++++++++++++++++

  • set_namespace default

  • [[ 1 != 1 ]]
    ++ oc config current-context

  • oc config set-context jodyapp/192-168-99-100:8443/developer --namespace=default

  • has_namespace jodyapp

  • oc get namespace jodyapp

  • true

  • echo 'Namespace '''jodyapp''' exists, not going to create it.'
    Namespace 'jodyapp' exists, not going to create it.

  • set_namespace jodyapp

  • [[ 1 != 1 ]]
    ++ oc config current-context

  • oc config set-context jodyapp/192-168-99-100:8443/developer --namespace=jodyapp

  • oc delete --ignore-not-found rolebinding test-app-conjur-authenticator-role-binding

  • sed -e 's#{{ TEST_APP_NAMESPACE_NAME }}#jodyapp#g' ./openshift/test-app-conjur-authenticator-role-binding.yml

  • sed -e 's#{{ CONJUR_NAMESPACE_NAME }}#conjur#g'

  • oc create -f -
    Error from server (NotFound): error when creating "STDIN": rolebindings "conjur-authenticator" not found
@jodyhuntatx
Copy link
Contributor Author

jodyhuntatx commented Aug 3, 2018
edited
Loading

"developer" is same user that deployed the Conjur cluster, but needs some extra privilege to create the role binding in the application name space. Logging in as system:admin allows creation of the role binding without error.

@jodyhuntatx jodyhuntatx changed the title conjur-authenticator role not added before referenced conjur-authenticator role requires elevated privileges to create Aug 3, 2018
@jodyhuntatx jodyhuntatx changed the title conjur-authenticator role requires elevated privileges to create conjur-authenticator rolebinding requires elevated privileges to create Aug 3, 2018
@jodyhuntatx
Copy link
Contributor Author

$ oc adm policy add-role-to-user cluster-admin $USER -n $TEST_APP_NAMESPACE_NAME

The above grants a user sufficient privilege to create the cluster rolebinding w/o using system:admin. However this will no doubt raise some concerns for general deployment.

We really need to prescribe the roles and workflow needed to:
a) deploy/manage the Conjur cluster
b) setup application deployments
c) deploy applications .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/k8s kind/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jodyhuntatx @izgeri