Authentication and Authorization

Question 1

What is an OpenShift User?

Answer 1

Users are entities that interact with the API server and are actors within the system. They get permissions by having roles assigned individually or via groups

Question 2

What is an OpenShift Identity?

Answer 2

A resource that keeps record of successful authentication attempts for a single user resource and identity provider

Question 3

What’s an OpenShift Service Account?

Answer 3

Enables you to control API access without using a regular users credentials.

Question 4

What is an OpenShift role

Answer 4

Roles define a set of permissions to enable users, service accounts and groups to perform API operations.

Question 5

What is a kubeconfig file?

Answer 5

It’s created during OpenShift installation in the …/auth directory that contain details and parameters used by the CLI to connect a client to the correct API server.

Question 6

How can you make use of the kubeconfig file so you can run OC commands without logging in to OpenShift?

Answer 6

$ export KUBECONFIG=/home/users/auth/kubeconfig
$ OC get nodes

Question 7

To improve cluster security what cluster-admin user should be removed (and how) after the identity provider is defined and a new cluster-admin has been created?

Answer 7

kubeadmin
$ oc delete secret kubeadmin -n kube-system

Question 8

What custom resource is added to the spec.identityProviders array in what yaml to use the HTpasswd identity provider and how?

Answer 8

Edit the oauth.yaml

apiVersion: config.openshift.ip/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: my_htpasswd_provider
mappingMethod: claim
type: HTPasswd
htpasswd:
filedata:
name: htpasswd-secret

Question 9

What are the commands to update and apply the OAuth custom resource after editing?

Answer 9

$ oc get oauth cluster -o yaml > oauth.yaml

$ oc replace -f oauth.yaml

Question 10

Command to create the HTPasswd file and first user names admin with a password of password?

Answer 10

$ htpasswd -c - B - b / tmp/ htpasswd admin password

Question 11

To use the HTPasswd provider, you must create a secret. Create a secret named htpasswd-secret where the htpasswd file is in /tmp

Answer 11

$ oc create secret generic htpasswd-secret —from-file htpasswd=/tmp/htpasswd -n openshift-config

Question 12

What command is run to update the HTPasswd secret (with a name htpasswd-secret and htpasswd data file in /tmp) after adding, changing or deleting a user?

Answer 12

$ oc set data secret/htpasswd-secret —from-file htpasswd=/tmp/htpasswd -n openshift-config

Question 13

How to get the contents of the clusterrole in the event you don’t know the exact role name of “cluster-admin”

Answer 13

Narrow it down by using grep:

$ oc describe clusterrole.rbac | grep ^Name | grep -v ‘system:’

Question 14

Command to set the rbac policy for the admins group to cluster-admin

Answer 14

$ oc adm policy add-cluster-role-to-group cluster-admin admins

Question 15

Command to give the group developers rbac edit on the cluster:

Answer 15

$ oc adm policy add-cluster-role-to-group view developers

Question 16

Command to give user1 view only on a namespace called tester-namespace:

Answer 16

$ oc adm policy add-role-to-user view user1 -n tester-namespace

Question 17

What’s the order to set up authentication with identity provider?

Answer 17

1) Create htpasswd file (with first user)
2) create secret on openshift-config
3) get oauth from the cluster and output it to oauth.yaml
4) edit the yaml to add the fileData
5) replace the existing oauth