diff --git a/_topic_maps/_topic_map_rosa_hcp.yml b/_topic_maps/_topic_map_rosa_hcp.yml index d7316875fc..6d0916f1af 100644 --- a/_topic_maps/_topic_map_rosa_hcp.yml +++ b/_topic_maps/_topic_map_rosa_hcp.yml @@ -472,6 +472,85 @@ Topics: - Name: Adding additional constraints for IP-based AWS role assumption File: rosa-adding-additional-constraints-for-ip-based-aws-role-assumption --- +Name: Authentication and authorization +Dir: authentication +Distros: openshift-rosa-hcp +Topics: +- Name: Authentication and authorization overview + File: index +- Name: Understanding authentication + File: understanding-authentication +# - Name: Configuring the internal OAuth server +# File: configuring-internal-oauth +# - Name: Configuring OAuth clients +# File: configuring-oauth-clients +- Name: Managing user-owned OAuth access tokens + File: managing-oauth-access-tokens +# - Name: Understanding identity provider configuration +# File: understanding-identity-provider +- Name: Configuring identity providers + File: sd-configuring-identity-providers +# - Name: Configuring identity providers +# Dir: identity_providers +# Topics: +# - Name: Configuring an htpasswd identity provider +# File: configuring-htpasswd-identity-provider +# - Name: Configuring a Keystone identity provider +# File: configuring-keystone-identity-provider +# - Name: Configuring an LDAP identity provider +# File: configuring-ldap-identity-provider +# - Name: Configuring a basic authentication identity provider +# File: configuring-basic-authentication-identity-provider +# - Name: Configuring a request header identity provider +# File: configuring-request-header-identity-provider +# - Name: Configuring a GitHub or GitHub Enterprise identity provider +# File: configuring-github-identity-provider +# - Name: Configuring a GitLab identity provider +# File: configuring-gitlab-identity-provider +# - Name: Configuring a Google identity provider +# File: configuring-google-identity-provider +# - Name: Configuring an OpenID Connect identity provider +# File: configuring-oidc-identity-provider +- Name: Using RBAC to define and apply permissions + File: using-rbac +# - Name: Removing the kubeadmin user +# File: remove-kubeadmin +#- Name: Configuring LDAP failover +# File: configuring-ldap-failover +- Name: Understanding and creating service accounts + File: understanding-and-creating-service-accounts +- Name: Using service accounts in applications + File: using-service-accounts-in-applications +- Name: Using a service account as an OAuth client + File: using-service-accounts-as-oauth-client +- Name: Assuming an AWS IAM role for a service account + File: assuming-an-aws-iam-role-for-a-service-account +- Name: Scoping tokens + File: tokens-scoping +- Name: Using bound service account tokens + File: bound-service-account-tokens +- Name: Managing security context constraints + File: managing-security-context-constraints +- Name: Understanding and managing pod security admission + File: understanding-and-managing-pod-security-admission +# - Name: Impersonating the system:admin user +# File: impersonating-system-admin +- Name: Syncing LDAP groups + File: ldap-syncing +# - Name: Managing cloud provider credentials +# Dir: managing_cloud_provider_credentials +# Topics: +# - Name: About the Cloud Credential Operator +# File: about-cloud-credential-operator +# - Name: Mint mode +# File: cco-mode-mint +# - Name: Passthrough mode +# File: cco-mode-passthrough +# - Name: Manual mode with long-term credentials for components +# File: cco-mode-manual +# - Name: Manual mode with short-term credentials for components +# File: cco-short-term-creds +--- Name: Upgrading Dir: upgrading Distros: openshift-rosa-hcp diff --git a/authentication/assuming-an-aws-iam-role-for-a-service-account.adoc b/authentication/assuming-an-aws-iam-role-for-a-service-account.adoc index 77eb779a24..3b6f55d07d 100644 --- a/authentication/assuming-an-aws-iam-role-for-a-service-account.adoc +++ b/authentication/assuming-an-aws-iam-role-for-a-service-account.adoc @@ -2,17 +2,17 @@ [id="assuming-an-aws-iam-role-for-a-service-account"] = Assuming an AWS IAM role for a service account include::_attributes/common-attributes.adoc[] -ifdef::openshift-rosa,openshift-dedicated[] +ifdef::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[] include::_attributes/attributes-openshift-dedicated.adoc[] -endif::openshift-rosa,openshift-dedicated[] +endif::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[] :context: assuming-an-aws-iam-role-for-a-service-account toc::[] [role="_abstract"] -ifdef::openshift-rosa[] +ifdef::openshift-rosa,openshift-rosa-hcp[] In {product-title} clusters that use the AWS Security Token Service (STS), the OpenShift API server can be enabled to project signed service account tokens that can be used to assume an AWS Identity and Access Management (IAM) role in a pod. If the assumed IAM role has the required AWS permissions, the pods can authenticate against the AWS API using temporary STS credentials to perform AWS operations. -endif::openshift-rosa[] +endif::openshift-rosa,openshift-rosa-hcp[] You can use the pod identity webhook to project service account tokens to assume an AWS Identity and Access Management (IAM) role for your own workloads. If the assumed IAM role has the required AWS permissions, the pods can run AWS SDK operations by using temporary STS credentials. @@ -37,6 +37,6 @@ include::modules/verifying-the-assumed-iam-role-in-your-pod.adoc[leveloffset=+2] * For more information about installing and using the AWS Boto3 SDK for Python, see the link:https://boto3.amazonaws.com/v1/documentation/api/latest/index.html[AWS Boto3 documentation]. -ifdef::openshift-rosa,openshift-dedicated[] +ifdef::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[] * For general information about webhook admission plugins for OpenShift, see link:https://docs.openshift.com/container-platform/4.18/architecture/admission-plug-ins.html#admission-webhooks-about_admission-plug-ins[Webhook admission plugins] in the OpenShift Container Platform documentation. -endif::openshift-rosa,openshift-dedicated[] +endif::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[] diff --git a/authentication/bound-service-account-tokens.adoc b/authentication/bound-service-account-tokens.adoc index dfd7b643c9..791036d2c5 100644 --- a/authentication/bound-service-account-tokens.adoc +++ b/authentication/bound-service-account-tokens.adoc @@ -21,9 +21,9 @@ include::modules/bound-sa-tokens-configuring-externally.adoc[leveloffset=+1] .Additional resources // This xref target does not exist in the OSD/ROSA docs. -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * xref:../nodes/nodes/nodes-nodes-rebooting.adoc#nodes-nodes-rebooting-gracefully_nodes-nodes-rebooting[Rebooting a node gracefully] -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * xref:../authentication/understanding-and-creating-service-accounts.adoc#service-accounts-managing_understanding-service-accounts[Creating service accounts] diff --git a/authentication/index.adoc b/authentication/index.adoc index 7004a14172..54d98755b7 100644 --- a/authentication/index.adoc +++ b/authentication/index.adoc @@ -10,12 +10,12 @@ include::modules/authentication-authorization-common-terms.adoc[leveloffset=+1] [id="authentication-overview"] == About authentication in {product-title} To control access to an {product-title} cluster, -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] a cluster administrator -endif::openshift-dedicated,openshift-rosa[] -ifdef::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] +ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] an administrator with the `dedicated-admin` role -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] can configure xref:../authentication/understanding-authentication.adoc#understanding-authentication[user authentication] and ensure only approved users access the cluster. To interact with an {product-title} cluster, users must first authenticate to the {product-title} API in some way. You can authenticate by providing an xref:../authentication/understanding-authentication.adoc#rbac-api-authentication_understanding-authentication[OAuth access token or an X.509 client certificate] in your requests to the {product-title} API. @@ -25,11 +25,11 @@ To interact with an {product-title} cluster, users must first authenticate to th If you do not present a valid access token or certificate, your request is unauthenticated and you receive an HTTP 401 error. ==== -ifdef::openshift-dedicated,openshift-rosa[] +ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] An administrator can configure authentication by configuring an identity provider. You can define any xref:../authentication/sd-configuring-identity-providers.adoc#understanding-idp-supported_sd-configuring-identity-providers[supported identity provider in {product-title}] and add it to your cluster. -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] An administrator can configure authentication through the following tasks: * Configuring an identity provider: You can define any xref:../authentication/understanding-identity-provider.adoc#supported-identity-providers[supported identity provider in {product-title}] and add it to your cluster. @@ -50,7 +50,7 @@ When users send a request for an OAuth token, they must specify either a default * Managing cloud provider credentials using the xref:../authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc#about-cloud-credential-operator[Cloud Credentials Operator]: Cluster components use cloud provider credentials to get permissions required to perform cluster-related tasks. * Impersonating a system admin user: You can grant cluster administrator permissions to a user by xref:../authentication/impersonating-system-admin.adoc#impersonating-system-admin[impersonating a system admin user]. -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] [id="authorization-overview"] == About authorization in {product-title} @@ -68,25 +68,25 @@ You can manage authorization for {product-title} through the following tasks: * Creating a xref:../authentication/using-rbac.adoc#creating-local-role_using-rbac[local role] and assigning it to a user or group. -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * Creating a cluster role and assigning it to a user or group: {product-title} includes a set of xref:../authentication/using-rbac.adoc#default-roles_using-rbac[default cluster roles]. You can create additional xref:../authentication/using-rbac.adoc#creating-cluster-role_using-rbac[cluster roles] and xref:../authentication/using-rbac.adoc#adding-roles_using-rbac[add them to a user or group]. -endif::openshift-dedicated,openshift-rosa[] -ifdef::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] +ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * Assigning a cluster role to a user or group: {product-title} includes a set of xref:../authentication/using-rbac.adoc#default-roles_using-rbac[default cluster roles]. You can xref:../authentication/using-rbac.adoc#adding-roles_using-rbac[add them to a user or group]. -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * Creating a cluster-admin user: By default, your cluster has only one cluster administrator called `kubeadmin`. You can xref:../authentication/using-rbac.adoc#creating-cluster-admin_using-rbac[create another cluster administrator]. Before creating a cluster administrator, ensure that you have configured an identity provider. + [NOTE] ==== After creating the cluster admin user, xref:../authentication/remove-kubeadmin.adoc#removing-kubeadmin_removing-kubeadmin[delete the existing kubeadmin user] to improve cluster security. ==== -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] -ifdef::openshift-rosa[] +ifdef::openshift-rosa,openshift-rosa-hcp[] * Creating cluster-admin and dedicated-admin users: The user who created the {product-title} cluster can grant access to other xref:../authentication/using-rbac.adoc#rosa-create-cluster-admins_using-rbac[`cluster-admin`] and xref:../authentication/using-rbac.adoc#rosa-create-dedicated-cluster-admins_using-rbac[`dedicated-admin`] users. -endif::openshift-rosa[] +endif::openshift-rosa,openshift-rosa-hcp[] ifdef::openshift-dedicated[] * Granting administrator privileges to users: You can xref:../authentication/using-rbac.adoc#osd-grant-admin-privileges_using-rbac[grant `dedicated-admin` privileges to users]. diff --git a/authentication/ldap-syncing.adoc b/authentication/ldap-syncing.adoc index 802f055b0f..a1bbda824c 100644 --- a/authentication/ldap-syncing.adoc +++ b/authentication/ldap-syncing.adoc @@ -9,9 +9,9 @@ toc::[] ifdef::openshift-enterprise,openshift-webscale,openshift-origin[] As an administrator, endif::[] -ifdef::openshift-dedicated,openshift-rosa[] +ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] As an administrator with the `dedicated-admin` role, -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] you can use groups to manage users, change their permissions, and enhance collaboration. Your organization may have already created user groups and stored them in an LDAP server. {product-title} can sync @@ -20,15 +20,15 @@ your groups in one place. {product-title} currently supports group sync with LDAP servers using three common schemas for defining group membership: RFC 2307, Active Directory, and augmented Active Directory. -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] For more information on configuring LDAP, see xref:../authentication/identity_providers/configuring-ldap-identity-provider.adoc#configuring-ldap-identity-provider[Configuring an LDAP identity provider]. -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] -ifdef::openshift-dedicated,openshift-rosa[] +ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] For more information on configuring LDAP, see xref:../authentication/sd-configuring-identity-providers.adoc#config-ldap-idp_sd-configuring-identity-providers[Configuring an LDAP identity provider]. -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] ifdef::openshift-enterprise,openshift-webscale,openshift-origin[] [NOTE] @@ -36,12 +36,12 @@ ifdef::openshift-enterprise,openshift-webscale,openshift-origin[] You must have `cluster-admin` privileges to sync groups. ==== endif::[] -ifdef::openshift-dedicated,openshift-rosa[] +ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] [NOTE] ==== You must have `dedicated-admin` privileges to sync groups. ==== -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] include::modules/ldap-syncing-about.adoc[leveloffset=+1] include::modules/ldap-syncing-config-rfc2307.adoc[leveloffset=+2] @@ -54,7 +54,7 @@ include::modules/ldap-syncing-running-subset.adoc[leveloffset=+2] include::modules/ldap-syncing-pruning.adoc[leveloffset=+1] // OSD and ROSA dedicated-admins cannot create the cluster roles and cluster role bindings required for this procedure. -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] // Automatically syncing LDAP groups include::modules/ldap-auto-syncing.adoc[leveloffset=+1] @@ -63,7 +63,7 @@ include::modules/ldap-auto-syncing.adoc[leveloffset=+1] * xref:../authentication/identity_providers/configuring-ldap-identity-provider.adoc#configuring-ldap-identity-provider[Configuring an LDAP identity provider] * xref:../nodes/jobs/nodes-nodes-jobs.adoc#nodes-nodes-jobs-creating-cron_nodes-nodes-jobs[Creating cron jobs] -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] include::modules/ldap-syncing-examples.adoc[leveloffset=+1] include::modules/ldap-syncing-rfc2307.adoc[leveloffset=+2] diff --git a/authentication/managing-security-context-constraints.adoc b/authentication/managing-security-context-constraints.adoc index 0a67c077b5..94ac04555d 100644 --- a/authentication/managing-security-context-constraints.adoc +++ b/authentication/managing-security-context-constraints.adoc @@ -13,14 +13,14 @@ Default SCCs are created during installation and when you install some Operators [IMPORTANT] ==== Do not modify the default SCCs. Customizing the default SCCs can lead to issues when some of the platform pods deploy or -ifndef::openshift-rosa[] +ifndef::openshift-rosa,openshift-rosa-hcp[] {product-title} endif::[] -ifdef::openshift-rosa[] +ifdef::openshift-rosa,openshift-rosa-hcp[] ROSA -endif::openshift-rosa[] +endif::openshift-rosa,openshift-rosa-hcp[] is upgraded. Additionally, the default SCC values are reset to the defaults during some cluster upgrades, which discards all customizations to those SCCs. -ifdef::openshift-origin,openshift-enterprise,openshift-webscale,openshift-dedicated,openshift-rosa[] +ifdef::openshift-origin,openshift-enterprise,openshift-webscale,openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] Instead of modifying the default SCCs, create and modify your own SCCs as needed. For detailed steps, see xref:../authentication/managing-security-context-constraints.adoc#security-context-constraints-creating_configuring-internal-oauth[Creating security context constraints]. endif::[] @@ -47,4 +47,9 @@ include::modules/security-context-constraints-command-reference.adoc[leveloffset [id="additional-resources_configuring-internal-oauth"] == Additional resources -* xref:../support/getting-support.adoc#getting-support[Getting support] \ No newline at end of file +ifndef::openshift-rosa-hcp[] +* xref:../support/getting-support.adoc#getting-support[Getting support] +endif::openshift-rosa-hcp[] +ifdef::openshift-rosa-hcp[] +* link:https://docs.openshift.com/rosa/support/getting-support.html[Getting support] +endif::openshift-rosa-hcp[] \ No newline at end of file diff --git a/authentication/sd-configuring-identity-providers.adoc b/authentication/sd-configuring-identity-providers.adoc index 1a55e98fd5..1c1f1f93d9 100644 --- a/authentication/sd-configuring-identity-providers.adoc +++ b/authentication/sd-configuring-identity-providers.adoc @@ -8,9 +8,9 @@ toc::[] After your {product-title} cluster is created, you must configure identity providers to determine how users log in to access the cluster. -ifdef::openshift-rosa[] +ifdef::openshift-rosa,openshift-rosa-hcp[] The following topics describe how to configure an identity provider using {cluster-manager} console. Alternatively, you can use the ROSA CLI (`rosa`) to configure an identity provider and access the cluster. -endif::openshift-rosa[] +endif::openshift-rosa,openshift-rosa-hcp[] include::modules/understanding-idp.adoc[leveloffset=+1] include::modules/identity-provider-parameters.adoc[leveloffset=+2] diff --git a/authentication/understanding-and-managing-pod-security-admission.adoc b/authentication/understanding-and-managing-pod-security-admission.adoc index d62ce6968c..c4ecac8a8f 100644 --- a/authentication/understanding-and-managing-pod-security-admission.adoc +++ b/authentication/understanding-and-managing-pod-security-admission.adoc @@ -34,14 +34,17 @@ include::modules/security-context-constraints-psa-label.adoc[leveloffset=+1] include::modules/security-context-constraints-psa-rectifying.adoc[leveloffset=+1] // OSD and ROSA dedicated-admin users cannot use the must-gather tool. -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] // Identifying pod security violations include::modules/security-context-constraints-psa-alert-eval.adoc[leveloffset=+2] -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] [role="_additional-resources"] [id="additional-resources_managing-pod-security-admission"] == Additional resources +// Module not included in the HCP distro +ifndef::openshift-rosa-hcp[] * xref:../security/audit-log-view.adoc#nodes-nodes-audit-log-basic-viewing_audit-log-view[Viewing audit logs] +endif::openshift-rosa-hcp[] * xref:../authentication/managing-security-context-constraints.adoc#managing-pod-security-policies[Managing security context constraints] diff --git a/authentication/using-rbac.adoc b/authentication/using-rbac.adoc index 410f11dd3d..acefe675e3 100644 --- a/authentication/using-rbac.adoc +++ b/authentication/using-rbac.adoc @@ -18,7 +18,7 @@ include::modules/rbac-viewing-local-roles.adoc[leveloffset=+1] include::modules/rbac-adding-roles.adoc[leveloffset=+1] -ifdef::openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated,openshift-rosa[] +ifdef::openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] include::modules/rbac-creating-local-role.adoc[leveloffset=+1] include::modules/rbac-creating-cluster-role.adoc[leveloffset=+1] @@ -26,18 +26,18 @@ endif::[] include::modules/rbac-local-role-binding-commands.adoc[leveloffset=+1] -ifdef::openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated,openshift-rosa[] +ifdef::openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] include::modules/rbac-cluster-role-binding-commands.adoc[leveloffset=+1] endif::[] -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] include::modules/rbac-creating-cluster-admin.adoc[leveloffset=+1] -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] -ifdef::openshift-rosa[] +ifdef::openshift-rosa,openshift-rosa-hcp[] include::modules/rosa-create-cluster-admins.adoc[leveloffset=+1] include::modules/rosa-create-dedicated-cluster-admins.adoc[leveloffset=+1] -endif::openshift-rosa[] +endif::openshift-rosa,openshift-rosa-hcp[] ifdef::openshift-dedicated[] include::modules/osd-grant-admin-privileges.adoc[leveloffset=+1] diff --git a/modules/bound-sa-tokens-configuring.adoc b/modules/bound-sa-tokens-configuring.adoc index 5bca7522dc..d37c9a59a0 100644 --- a/modules/bound-sa-tokens-configuring.adoc +++ b/modules/bound-sa-tokens-configuring.adoc @@ -10,17 +10,17 @@ You can configure pods to request bound service account tokens by using volume p .Prerequisites -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have access to the cluster as a user with the `cluster-admin` role. -endif::openshift-dedicated,openshift-rosa[] -ifdef::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] +ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have access to the cluster as a user with the `dedicated-admin` role. -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have created a service account. This procedure assumes that the service account is named `build-robot`. .Procedure -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] . Optional: Set the service account issuer. + This step is typically not required if the bound tokens are used only within the cluster. @@ -98,7 +98,7 @@ $ for I in $(oc get ns -o jsonpath='{range .items[*]} {.metadata.name}{"\n"} {en sleep 1; \ done ---- -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] . Configure a pod to use a bound service account token by using volume projection. diff --git a/modules/ldap-syncing-activedir.adoc b/modules/ldap-syncing-activedir.adoc index 3e497003b9..1cd791cd7e 100644 --- a/modules/ldap-syncing-activedir.adoc +++ b/modules/ldap-syncing-activedir.adoc @@ -48,12 +48,12 @@ during search and returned to the client, but not committed to the database. .Prerequisites * Create the configuration file. -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have access to the cluster as a user with the `cluster-admin` role. -endif::openshift-dedicated,openshift-rosa[] -ifdef::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] +ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have access to the cluster as a user with the `dedicated-admin` role. -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] .Procedure diff --git a/modules/ldap-syncing-augmented-activedir.adoc b/modules/ldap-syncing-augmented-activedir.adoc index 3a0fb8ab0a..0aeea93615 100644 --- a/modules/ldap-syncing-augmented-activedir.adoc +++ b/modules/ldap-syncing-augmented-activedir.adoc @@ -58,12 +58,12 @@ member: cn=Jim,ou=users,dc=example,dc=com .Prerequisites * Create the configuration file. -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have access to the cluster as a user with the `cluster-admin` role. -endif::openshift-dedicated,openshift-rosa[] -ifdef::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] +ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have access to the cluster as a user with the `dedicated-admin` role. -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] .Procedure diff --git a/modules/ldap-syncing-nesting.adoc b/modules/ldap-syncing-nesting.adoc index 3c6a885800..0d71219ab3 100644 --- a/modules/ldap-syncing-nesting.adoc +++ b/modules/ldap-syncing-nesting.adoc @@ -136,12 +136,12 @@ of https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx[`LDAP_MATCHIN .Prerequisites * Create the configuration file. -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have access to the cluster as a user with the `cluster-admin` role. -endif::openshift-dedicated,openshift-rosa[] -ifdef::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] +ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have access to the cluster as a user with the `dedicated-admin` role. -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] .Procedure diff --git a/modules/ldap-syncing-rfc2307-user-defined-error.adoc b/modules/ldap-syncing-rfc2307-user-defined-error.adoc index 312068c380..40b2f92076 100644 --- a/modules/ldap-syncing-rfc2307-user-defined-error.adoc +++ b/modules/ldap-syncing-rfc2307-user-defined-error.adoc @@ -118,12 +118,12 @@ member of a group is out of scope. .Prerequisites * Create the configuration file. -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have access to the cluster as a user with the `cluster-admin` role. -endif::openshift-dedicated,openshift-rosa[] -ifdef::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] +ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have access to the cluster as a user with the `dedicated-admin` role. -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] .Procedure diff --git a/modules/ldap-syncing-rfc2307.adoc b/modules/ldap-syncing-rfc2307.adoc index 96acc2000e..9154e526e6 100644 --- a/modules/ldap-syncing-rfc2307.adoc +++ b/modules/ldap-syncing-rfc2307.adoc @@ -65,12 +65,12 @@ the group. .Prerequisites * Create the configuration file. -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have access to the cluster as a user with the `cluster-admin` role. -endif::openshift-dedicated,openshift-rosa[] -ifdef::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] +ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have access to the cluster as a user with the `dedicated-admin` role. -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] .Procedure diff --git a/modules/ldap-syncing-running-all-ldap.adoc b/modules/ldap-syncing-running-all-ldap.adoc index 85f2bab402..b60b044fbc 100644 --- a/modules/ldap-syncing-running-all-ldap.adoc +++ b/modules/ldap-syncing-running-all-ldap.adoc @@ -11,12 +11,12 @@ You can sync all groups from the LDAP server with {product-title}. .Prerequisites * Create a sync configuration file. -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have access to the cluster as a user with the `cluster-admin` role. -endif::openshift-dedicated,openshift-rosa[] -ifdef::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] +ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have access to the cluster as a user with the `dedicated-admin` role. -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] .Procedure diff --git a/modules/ldap-syncing-running-openshift.adoc b/modules/ldap-syncing-running-openshift.adoc index ae21e4d787..5ce8f353ee 100644 --- a/modules/ldap-syncing-running-openshift.adoc +++ b/modules/ldap-syncing-running-openshift.adoc @@ -12,12 +12,12 @@ LDAP server specified in the configuration file. .Prerequisites * Create a sync configuration file. -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have access to the cluster as a user with the `cluster-admin` role. -endif::openshift-dedicated,openshift-rosa[] -ifdef::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] +ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have access to the cluster as a user with the `dedicated-admin` role. -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] .Procedure diff --git a/modules/ldap-syncing-running-subset.adoc b/modules/ldap-syncing-running-subset.adoc index d2a3d55fae..9f5872596e 100644 --- a/modules/ldap-syncing-running-subset.adoc +++ b/modules/ldap-syncing-running-subset.adoc @@ -21,12 +21,12 @@ present in {product-title}. .Prerequisites * Create a sync configuration file. -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have access to the cluster as a user with the `cluster-admin` role. -endif::openshift-dedicated,openshift-rosa[] -ifdef::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] +ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] * You have access to the cluster as a user with the `dedicated-admin` role. -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] .Procedure diff --git a/modules/rbac-creating-local-role.adoc b/modules/rbac-creating-local-role.adoc index 10f919adf4..e97ed89f7d 100644 --- a/modules/rbac-creating-local-role.adoc +++ b/modules/rbac-creating-local-role.adoc @@ -4,7 +4,7 @@ // * post_installation_configuration/preparing-for-users.adoc :_mod-docs-content-type: PROCEDURE -ifdef::openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated,openshift-rosa[] +ifdef::openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] [id="creating-local-role_{context}"] = Creating a local role diff --git a/modules/rbac-overview.adoc b/modules/rbac-overview.adoc index 344f226f90..ac87676996 100644 --- a/modules/rbac-overview.adoc +++ b/modules/rbac-overview.adoc @@ -13,9 +13,9 @@ perform a given action within a project. ifdef::openshift-enterprise,openshift-webscale,openshift-origin[] Cluster administrators endif::[] -ifdef::openshift-dedicated,openshift-rosa[] +ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] Administrators with the `dedicated-admin` role -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] can use the cluster roles and bindings to control who has various access levels to the {product-title} platform itself and all projects. Developers can use local roles and bindings to control who has access @@ -38,7 +38,7 @@ to multiple roles. |Bindings |Associations between users and/or groups with a role. |=== -ifdef::openshift-origin,openshift-enterprise,openshift-dedicated,openshift-rosa[] +ifdef::openshift-origin,openshift-enterprise,openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] There are two levels of RBAC roles and bindings that control authorization: [cols="1,4",options="header"] @@ -171,7 +171,7 @@ apply to the user or their groups. . If no matching rule is found, the action is then denied by default. -ifdef::openshift-origin,openshift-enterprise,openshift-dedicated,openshift-rosa[] +ifdef::openshift-origin,openshift-enterprise,openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] [TIP] ==== @@ -180,13 +180,13 @@ roles at the same time. ==== Project administrators can use the CLI to -endif::openshift-origin,openshift-enterprise,openshift-dedicated,openshift-rosa[] -ifdef::openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated,openshift-rosa[] +endif::openshift-origin,openshift-enterprise,openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] +ifdef::openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] view local roles and bindings, -endif::openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated,openshift-rosa[] +endif::openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] including a matrix of the verbs and resources each are associated with. -ifdef::openshift-origin,openshift-enterprise,openshift-dedicated,openshift-rosa[] +ifdef::openshift-origin,openshift-enterprise,openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] [IMPORTANT] ==== The cluster role bound to the project administrator is limited in a project @@ -195,9 +195,9 @@ through a local binding. It is not bound cluster-wide like the cluster roles gra Cluster roles are roles defined at the cluster level but can be bound either at the cluster level or at the project level. ==== -endif::openshift-origin,openshift-enterprise,openshift-dedicated,openshift-rosa[] +endif::openshift-origin,openshift-enterprise,openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] -ifdef::openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated,openshift-rosa[] +ifdef::openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] [id="cluster-role-aggregations_{context}"] === Cluster role aggregation The default admin, edit, view, and cluster-reader cluster roles support diff --git a/modules/rbac-projects-namespaces.adoc b/modules/rbac-projects-namespaces.adoc index 9bfbfb7de2..ade42d4e32 100644 --- a/modules/rbac-projects-namespaces.adoc +++ b/modules/rbac-projects-namespaces.adoc @@ -54,19 +54,19 @@ Each project scopes its own set of: |=== -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] Cluster administrators -endif::openshift-dedicated,openshift-rosa[] -ifdef::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] +ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] Administrators with the `dedicated-admin` role -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] can create projects and delegate administrative rights for the project to any member of the user community. -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] Cluster administrators -endif::openshift-dedicated,openshift-rosa[] -ifdef::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] +ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] Administrators with the `dedicated-admin` role -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] can also allow developers to create their own projects. Developers and administrators can interact with projects by using the CLI or the diff --git a/modules/rbac-viewing-cluster-roles.adoc b/modules/rbac-viewing-cluster-roles.adoc index b52243c7e0..a744f184d9 100644 --- a/modules/rbac-viewing-cluster-roles.adoc +++ b/modules/rbac-viewing-cluster-roles.adoc @@ -24,7 +24,7 @@ endif::[] . To view the cluster roles and their associated rule sets: + -ifdef::openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated,openshift-rosa[] +ifdef::openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] [source,terminal] ---- $ oc describe clusterrole.rbac @@ -224,7 +224,7 @@ endif::[] . To view the current set of cluster role bindings, which shows the users and groups that are bound to various roles: + -ifdef::openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated,openshift-rosa[] +ifdef::openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] [source,terminal] ---- $ oc describe clusterrolebinding.rbac diff --git a/modules/security-context-constraints-about.adoc b/modules/security-context-constraints-about.adoc index 46148fde22..20fca33625 100644 --- a/modules/security-context-constraints-about.adoc +++ b/modules/security-context-constraints-about.adoc @@ -36,14 +36,14 @@ The cluster contains several default security context constraints (SCCs) as desc [IMPORTANT] ==== Do not modify the default SCCs. Customizing the default SCCs can lead to issues when some of the platform pods deploy or -ifndef::openshift-rosa[] +ifndef::openshift-rosa,openshift-rosa-hcp[] {product-title} endif::[] -ifdef::openshift-rosa[] +ifdef::openshift-rosa,openshift-rosa-hcp[] ROSA -endif::openshift-rosa[] +endif::openshift-rosa,openshift-rosa-hcp[] is upgraded. Additionally, the default SCC values are reset to the defaults during some cluster upgrades, which discards all customizations to those SCCs. -ifdef::openshift-origin,openshift-enterprise,openshift-webscale,openshift-dedicated,openshift-rosa[] +ifdef::openshift-origin,openshift-enterprise,openshift-webscale,openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] Instead of modifying the default SCCs, create and modify your own SCCs as needed. For detailed steps, see _Creating security context constraints_. endif::[] diff --git a/modules/security-context-constraints-pre-allocated-values.adoc b/modules/security-context-constraints-pre-allocated-values.adoc index 835cbf7a73..f28d304ee5 100644 --- a/modules/security-context-constraints-pre-allocated-values.adoc +++ b/modules/security-context-constraints-pre-allocated-values.adoc @@ -3,7 +3,7 @@ // * authentication/managing-security-context-constraints.adoc :_mod-docs-content-type: CONCEPT -ifdef::openshift-origin,openshift-enterprise,openshift-dedicated,openshift-rosa[] +ifdef::openshift-origin,openshift-enterprise,openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] [id="security-context-constraints-pre-allocated-values_{context}"] = About pre-allocated security context constraints values diff --git a/modules/security-context-constraints-psa-opting.adoc b/modules/security-context-constraints-psa-opting.adoc index 0f8c938f4c..3a91040985 100644 --- a/modules/security-context-constraints-psa-opting.adoc +++ b/modules/security-context-constraints-psa-opting.adoc @@ -11,9 +11,9 @@ You can enable or disable automatic pod security admission synchronization for m [IMPORTANT] ==== You cannot enable pod security admission synchronization on -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] some -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] system-created namespaces. For more information, see _Pod security admission synchronization namespace exclusions_. ====