From f6dabe3ca5f445ae61ae75e2a31b169cd2aaaf4f Mon Sep 17 00:00:00 2001
From: Ashley Hardin <ahardin@redhat.com>
Date: Thu, 2 May 2019 17:39:12 -0400
Subject: [PATCH] Adding Dedicated Admin content for Dedicated 4.1 doc set

---
 _topic_map.yml                                |  9 ++-
 .../dedicated-admin-role.adoc                 | 33 ++++++++
 .../dedicated-admin-granting-permissions.adoc | 14 ++++
 ...-logging-in-and-verifying-permissions.adoc | 75 +++++++++++++++++++
 ...ted-managing-dedicated-administrators.adoc | 30 ++++++++
 ...ated-managing-quotas-and-limit-ranges.adoc | 14 ++++
 .../dedicated-managing-service-accounts.adoc  | 45 +++++++++++
 modules/managing-dedicated-readers-group.adoc | 30 ++++++++
 8 files changed, 249 insertions(+), 1 deletion(-)
 create mode 100644 administering_a_cluster/dedicated-admin-role.adoc
 create mode 100644 modules/dedicated-admin-granting-permissions.adoc
 create mode 100644 modules/dedicated-logging-in-and-verifying-permissions.adoc
 create mode 100644 modules/dedicated-managing-dedicated-administrators.adoc
 create mode 100644 modules/dedicated-managing-quotas-and-limit-ranges.adoc
 create mode 100644 modules/dedicated-managing-service-accounts.adoc
 create mode 100644 modules/managing-dedicated-readers-group.adoc

diff --git a/_topic_map.yml b/_topic_map.yml
index 46f27d671e54..41e3e7205790 100644
--- a/_topic_map.yml
+++ b/_topic_map.yml
@@ -40,7 +40,7 @@ Name: Architecture
 Dir: architecture
 Distros: openshift-enterprise,openshift-origin,openshift-dedicated
 Topics:
-- Name: OpenShift Container Platform architecture
+- Name: Product architecture
   File: architecture
   Distros: openshift-enterprise,openshift-origin,openshift-dedicated
 - Name: Abstraction layers and topology
@@ -57,6 +57,13 @@ Topics:
   File: customizations
   Distros: openshift-enterprise,openshift-origin
 ---
+Name: Administering a cluster
+Dir: administering_a_cluster
+Distros: openshift-dedicated
+Topics:
+- Name: The Dedicated admin role
+  File: dedicated-admin-role
+---
 Name: Web console
 Dir: web-console
 Distros: openshift-enterprise,openshift-origin,openshift-dedicated
diff --git a/administering_a_cluster/dedicated-admin-role.adoc b/administering_a_cluster/dedicated-admin-role.adoc
new file mode 100644
index 000000000000..cdf22788da2b
--- /dev/null
+++ b/administering_a_cluster/dedicated-admin-role.adoc
@@ -0,0 +1,33 @@
+[id="dedicated-administrator-role"]
+= The {product-title} admin role
+include::modules/common-attributes.adoc[]
+:context: dedicated-administrator
+toc::[]
+
+As an administrator of an {product-title} cluster, your account has additional
+permissions and access to all user-created projects in your organization's
+cluster. While logged in to an account with this role, the basic developer CLI
+(the `oc` command) allows you increased visibility and management capabilities
+over objects across projects, while the administrator CLI (commands under the
+`oc adm` command) allow you to complete additional operations.
+
+[NOTE]
+====
+While your account does have these increased permissions, the actual cluster
+maintenance and host configuration is still performed by the OpenShift
+Operations Team. If you would like to request a change to your cluster that you
+cannot perform using the administrator CLI, open a support case on the
+link:https://access.redhat.com/support/[Red Hat Customer Portal].
+====
+
+include::modules/dedicated-logging-in-and-verifying-permissions.adoc[leveloffset=+1]
+
+include::modules/dedicated-managing-dedicated-administrators.adoc[leveloffset=+1]
+
+include::modules/managing-dedicated-readers-group.adoc[leveloffset=+1]
+
+include::modules/dedicated-admin-granting-permissions.adoc[leveloffset=+1]
+
+include::modules/dedicated-managing-service-accounts.adoc[leveloffset=+1]
+
+include::modules/dedicated-managing-quotas-and-limit-ranges.adoc[leveloffset=+1]
diff --git a/modules/dedicated-admin-granting-permissions.adoc b/modules/dedicated-admin-granting-permissions.adoc
new file mode 100644
index 000000000000..a4c60534ddae
--- /dev/null
+++ b/modules/dedicated-admin-granting-permissions.adoc
@@ -0,0 +1,14 @@
+// Module included in the following assemblies:
+//
+// administering_a_cluster/dedicated-admin-role.adoc
+
+[id="dedicated-admin-granting-permissions{context}"]
+= Granting permissions to users or groups
+
+To grant permissions to other users or groups, you can add, or _bind_, a role to
+them using the following commands:
+
+----
+$ oc adm policy add-role-to-user <role> <user_name>
+$ oc adm policy add-role-to-group <role> <group_name>
+----
diff --git a/modules/dedicated-logging-in-and-verifying-permissions.adoc b/modules/dedicated-logging-in-and-verifying-permissions.adoc
new file mode 100644
index 000000000000..c48f70ba45c4
--- /dev/null
+++ b/modules/dedicated-logging-in-and-verifying-permissions.adoc
@@ -0,0 +1,75 @@
+// Module included in the following assemblies:
+//
+// administering_a_cluster/dedicated-admin-role.adoc
+
+[id="dedicated-admin-logging-in-verifying-permissions{context}"]
+= Logging in and verifying permissions
+
+You can log in as an {product-title} cluster administration via the web console
+or CLI, just as you would if you were an application developer.
+
+When you log into the web console, all user-created projects across the cluster
+are visible from the main *Projects* page.
+
+Use the standard `oc login` command to log in with the CLI:
+
+----
+$ oc login <your_instance_url>
+----
+
+All projects are visible using:
+
+----
+$ oc get projects
+----
+
+When your account has the `dedicated-cluster-admin` cluster role bound to it,
+you are automatically bound to the `dedicated-project-admin` for any new
+projects that are created by users in the cluster.
+
+To verify if your account has administrator privileges, run the following
+command against a user-created project to view its default role bindings. If you
+are a cluster administrator, you will see your account listed under subjects for
+the *dedicated-project-admin* role binding for the project:
+
+----
+$ oc describe rolebinding.rbac -n <project_name>
+
+Name:		admin
+Labels:		<none>
+Annotations:	<none>
+Role:
+  Kind:	ClusterRole
+  Name:	admin
+Subjects:
+  Kind	Name			Namespace
+  ----	----			---------
+  User	fred@example.com <1>
+
+
+Name:		dedicated-project-admin
+Labels:		<none>
+Annotations:	<none>
+Role:
+  Kind:	ClusterRole
+  Name:	dedicated-project-admin
+Subjects:
+  Kind	Name			Namespace
+  ----	----			---------
+  User	alice@example.com <2>
+  User	bob@example.com <2>
+...
+----
+<1> The `fred@example.com`user is a normal, project-scoped administrator for
+this project.
+<2> The `alice@example.com` and `bob@example.com` users are cluster
+administrators.
+
+To view details on your increased permissions, and the sets of
+verbs and resources associated with the `dedicated-cluster-admin` and
+`dedicated-project-admin` roles, run the following:
+
+----
+$ oc describe clusterrole.rbac dedicated-cluster-admin
+$ oc describe clusterrole.rbac dedicated-project-admin
+----
diff --git a/modules/dedicated-managing-dedicated-administrators.adoc b/modules/dedicated-managing-dedicated-administrators.adoc
new file mode 100644
index 000000000000..b4a7b22999bd
--- /dev/null
+++ b/modules/dedicated-managing-dedicated-administrators.adoc
@@ -0,0 +1,30 @@
+// Module included in the following assemblies:
+//
+// administering_a_cluster/dedicated-admin-role.adoc
+
+[id="dedicated-managing-administrators{context}"]
+=  Managing {product-title} administrators
+
+Administrator roles are managed using a `dedicated-admins` group on the cluster.
+Existing members of this group can edit membership. To view a list of current
+dedicated administrators by user name, you can use the following command:
+
+----
+$ oc describe group dedicated-admins
+----
+
+To add a new member to the `dedicated-admins` group:
+
+----
+$ oc adm groups add-users dedicated-admins <user_name>
+----
+
+To remove an existing user from the `dedicated-admins` group:
+
+----
+$ oc adm groups remove-users dedicated-admins <user_name>
+----
+
+If this group is currently empty or if you need assistance editing group
+membership, open a support case on the
+link:https://access.redhat.com/support/[Red Hat Customer Portal].
diff --git a/modules/dedicated-managing-quotas-and-limit-ranges.adoc b/modules/dedicated-managing-quotas-and-limit-ranges.adoc
new file mode 100644
index 000000000000..4fe9b6189d63
--- /dev/null
+++ b/modules/dedicated-managing-quotas-and-limit-ranges.adoc
@@ -0,0 +1,14 @@
+// Module included in the following assemblies:
+//
+// administering_a_cluster/dedicated-admin-role.adoc
+
+[id="dedicated-managing-quotas-and-limit-ranges{context}"]
+=  Managing quotas and limit ranges
+
+As an administrator, you are able to view, create, and modify quotas limit
+ranges on other projects. This allows you to better constrain how compute
+resources and objects are consumed by users across the cluster.
+
+Defaults can be set for quotas and limit ranges for new projects at creation. To
+request such a change, open a support case on the
+https://access.redhat.com/support/[Red Hat Customer Portal].
diff --git a/modules/dedicated-managing-service-accounts.adoc b/modules/dedicated-managing-service-accounts.adoc
new file mode 100644
index 000000000000..999098138157
--- /dev/null
+++ b/modules/dedicated-managing-service-accounts.adoc
@@ -0,0 +1,45 @@
+// Module included in the following assemblies:
+//
+// administering_a_cluster/dedicated-admin-role.adoc
+
+[id="dedicated-managing-service-accounts{context}"]
+= Managing service accounts
+
+Service accounts are API objects that exist within each project. To manage
+service accounts, you can use the `oc` command with the `sa` or `serviceaccount`
+object type or use the web console.
+
+To get a list of existing service accounts in the current project, run:
+
+----
+$ oc get sa
+NAME       SECRETS   AGE
+builder    2         2d
+default    2         2d
+deployer   2         2d
+----
+
+To create a new service account, run:
+
+----
+$ oc create sa <service-account-name>
+----
+
+As soon as a service account is created, two secrets are automatically added to
+it:
+
+* an API token
+* credentials for the OpenShift Container Registry
+
+These can be seen by describing the service account:
+
+----
+$ oc describe sa <service-account-name>
+----
+
+The system ensures that service accounts always have an API token and registry
+credentials.
+
+The generated API token and registry credentials do not expire, but they can be
+revoked by deleting the secret. When the secret is deleted, a new one is
+automatically generated to take its place.
diff --git a/modules/managing-dedicated-readers-group.adoc b/modules/managing-dedicated-readers-group.adoc
new file mode 100644
index 000000000000..c602bff7dd1c
--- /dev/null
+++ b/modules/managing-dedicated-readers-group.adoc
@@ -0,0 +1,30 @@
+// Module included in the following assemblies:
+//
+// administering_a_cluster/dedicated-admin-role.adoc
+
+[id="dedicated-managing-dedicated-readers-group{context}"]
+= Managing the dedicated-readers group
+
+Users with a `dedicated-reader` role are granted edit and view access to the
+`dedicated-reader` project and view-only access to the other projects.
+
+To view a list of current dedicated readers by user name, you can use the
+following command:
+
+----
+$ oc describe group dedicated-readers
+----
+
+To add a new member to the `dedicated-readers` group, if you have
+`dedicated-admin` access:
+
+----
+$ oc adm groups add-users dedicated-readers <user_name>
+----
+
+To remove an existing user from the `dedicated-readers` group, if you have
+`dedicated-admin` access:
+
+----
+$ oc adm groups remove-users dedicated-readers <user_name>
+----