forked from openshift/openshift-docs
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding Dedicated Admin content for Dedicated 4.1 doc set
- Loading branch information
1 parent
c080948
commit f6dabe3
Showing
8 changed files
with
249 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| [id="dedicated-administrator-role"] | ||
| = The {product-title} admin role | ||
| include::modules/common-attributes.adoc[] | ||
| :context: dedicated-administrator | ||
| toc::[] | ||
|
|
||
| As an administrator of an {product-title} cluster, your account has additional | ||
| permissions and access to all user-created projects in your organization's | ||
| cluster. While logged in to an account with this role, the basic developer CLI | ||
| (the `oc` command) allows you increased visibility and management capabilities | ||
| over objects across projects, while the administrator CLI (commands under the | ||
| `oc adm` command) allow you to complete additional operations. | ||
|
|
||
| [NOTE] | ||
| ==== | ||
| While your account does have these increased permissions, the actual cluster | ||
| maintenance and host configuration is still performed by the OpenShift | ||
| Operations Team. If you would like to request a change to your cluster that you | ||
| cannot perform using the administrator CLI, open a support case on the | ||
| link:https://access.redhat.com/support/[Red Hat Customer Portal]. | ||
| ==== | ||
|
|
||
| include::modules/dedicated-logging-in-and-verifying-permissions.adoc[leveloffset=+1] | ||
|
|
||
| include::modules/dedicated-managing-dedicated-administrators.adoc[leveloffset=+1] | ||
|
|
||
| include::modules/managing-dedicated-readers-group.adoc[leveloffset=+1] | ||
|
|
||
| include::modules/dedicated-admin-granting-permissions.adoc[leveloffset=+1] | ||
|
|
||
| include::modules/dedicated-managing-service-accounts.adoc[leveloffset=+1] | ||
|
|
||
| include::modules/dedicated-managing-quotas-and-limit-ranges.adoc[leveloffset=+1] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // administering_a_cluster/dedicated-admin-role.adoc | ||
|
|
||
| [id="dedicated-admin-granting-permissions{context}"] | ||
| = Granting permissions to users or groups | ||
|
|
||
| To grant permissions to other users or groups, you can add, or _bind_, a role to | ||
| them using the following commands: | ||
|
|
||
| ---- | ||
| $ oc adm policy add-role-to-user <role> <user_name> | ||
| $ oc adm policy add-role-to-group <role> <group_name> | ||
| ---- |
75 changes: 75 additions & 0 deletions
75
modules/dedicated-logging-in-and-verifying-permissions.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // administering_a_cluster/dedicated-admin-role.adoc | ||
|
|
||
| [id="dedicated-admin-logging-in-verifying-permissions{context}"] | ||
| = Logging in and verifying permissions | ||
|
|
||
| You can log in as an {product-title} cluster administration via the web console | ||
| or CLI, just as you would if you were an application developer. | ||
|
|
||
| When you log into the web console, all user-created projects across the cluster | ||
| are visible from the main *Projects* page. | ||
|
|
||
| Use the standard `oc login` command to log in with the CLI: | ||
|
|
||
| ---- | ||
| $ oc login <your_instance_url> | ||
| ---- | ||
|
|
||
| All projects are visible using: | ||
|
|
||
| ---- | ||
| $ oc get projects | ||
| ---- | ||
|
|
||
| When your account has the `dedicated-cluster-admin` cluster role bound to it, | ||
| you are automatically bound to the `dedicated-project-admin` for any new | ||
| projects that are created by users in the cluster. | ||
|
|
||
| To verify if your account has administrator privileges, run the following | ||
| command against a user-created project to view its default role bindings. If you | ||
| are a cluster administrator, you will see your account listed under subjects for | ||
| the *dedicated-project-admin* role binding for the project: | ||
|
|
||
| ---- | ||
| $ oc describe rolebinding.rbac -n <project_name> | ||
| Name: admin | ||
| Labels: <none> | ||
| Annotations: <none> | ||
| Role: | ||
| Kind: ClusterRole | ||
| Name: admin | ||
| Subjects: | ||
| Kind Name Namespace | ||
| ---- ---- --------- | ||
| User fred@example.com <1> | ||
| Name: dedicated-project-admin | ||
| Labels: <none> | ||
| Annotations: <none> | ||
| Role: | ||
| Kind: ClusterRole | ||
| Name: dedicated-project-admin | ||
| Subjects: | ||
| Kind Name Namespace | ||
| ---- ---- --------- | ||
| User alice@example.com <2> | ||
| User bob@example.com <2> | ||
| ... | ||
| ---- | ||
| <1> The `fred@example.com`user is a normal, project-scoped administrator for | ||
| this project. | ||
| <2> The `alice@example.com` and `bob@example.com` users are cluster | ||
| administrators. | ||
|
|
||
| To view details on your increased permissions, and the sets of | ||
| verbs and resources associated with the `dedicated-cluster-admin` and | ||
| `dedicated-project-admin` roles, run the following: | ||
|
|
||
| ---- | ||
| $ oc describe clusterrole.rbac dedicated-cluster-admin | ||
| $ oc describe clusterrole.rbac dedicated-project-admin | ||
| ---- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // administering_a_cluster/dedicated-admin-role.adoc | ||
|
|
||
| [id="dedicated-managing-administrators{context}"] | ||
| = Managing {product-title} administrators | ||
|
|
||
| Administrator roles are managed using a `dedicated-admins` group on the cluster. | ||
| Existing members of this group can edit membership. To view a list of current | ||
| dedicated administrators by user name, you can use the following command: | ||
|
|
||
| ---- | ||
| $ oc describe group dedicated-admins | ||
| ---- | ||
|
|
||
| To add a new member to the `dedicated-admins` group: | ||
|
|
||
| ---- | ||
| $ oc adm groups add-users dedicated-admins <user_name> | ||
| ---- | ||
|
|
||
| To remove an existing user from the `dedicated-admins` group: | ||
|
|
||
| ---- | ||
| $ oc adm groups remove-users dedicated-admins <user_name> | ||
| ---- | ||
|
|
||
| If this group is currently empty or if you need assistance editing group | ||
| membership, open a support case on the | ||
| link:https://access.redhat.com/support/[Red Hat Customer Portal]. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // administering_a_cluster/dedicated-admin-role.adoc | ||
|
|
||
| [id="dedicated-managing-quotas-and-limit-ranges{context}"] | ||
| = Managing quotas and limit ranges | ||
|
|
||
| As an administrator, you are able to view, create, and modify quotas limit | ||
| ranges on other projects. This allows you to better constrain how compute | ||
| resources and objects are consumed by users across the cluster. | ||
|
|
||
| Defaults can be set for quotas and limit ranges for new projects at creation. To | ||
| request such a change, open a support case on the | ||
| https://access.redhat.com/support/[Red Hat Customer Portal]. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // administering_a_cluster/dedicated-admin-role.adoc | ||
|
|
||
| [id="dedicated-managing-service-accounts{context}"] | ||
| = Managing service accounts | ||
|
|
||
| Service accounts are API objects that exist within each project. To manage | ||
| service accounts, you can use the `oc` command with the `sa` or `serviceaccount` | ||
| object type or use the web console. | ||
|
|
||
| To get a list of existing service accounts in the current project, run: | ||
|
|
||
| ---- | ||
| $ oc get sa | ||
| NAME SECRETS AGE | ||
| builder 2 2d | ||
| default 2 2d | ||
| deployer 2 2d | ||
| ---- | ||
|
|
||
| To create a new service account, run: | ||
|
|
||
| ---- | ||
| $ oc create sa <service-account-name> | ||
| ---- | ||
|
|
||
| As soon as a service account is created, two secrets are automatically added to | ||
| it: | ||
|
|
||
| * an API token | ||
| * credentials for the OpenShift Container Registry | ||
|
|
||
| These can be seen by describing the service account: | ||
|
|
||
| ---- | ||
| $ oc describe sa <service-account-name> | ||
| ---- | ||
|
|
||
| The system ensures that service accounts always have an API token and registry | ||
| credentials. | ||
|
|
||
| The generated API token and registry credentials do not expire, but they can be | ||
| revoked by deleting the secret. When the secret is deleted, a new one is | ||
| automatically generated to take its place. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // administering_a_cluster/dedicated-admin-role.adoc | ||
|
|
||
| [id="dedicated-managing-dedicated-readers-group{context}"] | ||
| = Managing the dedicated-readers group | ||
|
|
||
| Users with a `dedicated-reader` role are granted edit and view access to the | ||
| `dedicated-reader` project and view-only access to the other projects. | ||
|
|
||
| To view a list of current dedicated readers by user name, you can use the | ||
| following command: | ||
|
|
||
| ---- | ||
| $ oc describe group dedicated-readers | ||
| ---- | ||
|
|
||
| To add a new member to the `dedicated-readers` group, if you have | ||
| `dedicated-admin` access: | ||
|
|
||
| ---- | ||
| $ oc adm groups add-users dedicated-readers <user_name> | ||
| ---- | ||
|
|
||
| To remove an existing user from the `dedicated-readers` group, if you have | ||
| `dedicated-admin` access: | ||
|
|
||
| ---- | ||
| $ oc adm groups remove-users dedicated-readers <user_name> | ||
| ---- |