From 8e9cae1cca47c0d77cc569059f1b98353ff2aed7 Mon Sep 17 00:00:00 2001 From: Krzysztof Ostrowski Date: Thu, 25 Apr 2024 14:01:15 +0200 Subject: [PATCH] add unauth grp restore --- .../impersonating-system-admin.adoc | 2 + .../managing-oauth-access-tokens.adoc | 3 + authentication/tokens-scoping.adoc | 2 + authentication/using-rbac.adoc | 2 + .../builds/triggering-builds-build-hooks.adoc | 9 ++- modules/builds-using-bitbucket-webhooks.adoc | 4 ++ modules/builds-using-github-webhooks.adoc | 1 + modules/builds-using-gitlab-webhooks.adoc | 4 ++ ...icated-users-cluster-role-binding-con.adoc | 29 ++++++++++ ...henticated-users-cluster-role-binding.adoc | 57 +++++++++++++++++++ .../unauthenticated-users-system-webhook.adoc | 54 ++++++++++++++++++ .../preparing-for-users.adoc | 4 ++ 12 files changed, 170 insertions(+), 1 deletion(-) create mode 100644 modules/unauthenticated-users-cluster-role-binding-con.adoc create mode 100644 modules/unauthenticated-users-cluster-role-binding.adoc create mode 100644 modules/unauthenticated-users-system-webhook.adoc diff --git a/authentication/impersonating-system-admin.adoc b/authentication/impersonating-system-admin.adoc index 69f0c8625e..c9ea3d2cfe 100644 --- a/authentication/impersonating-system-admin.adoc +++ b/authentication/impersonating-system-admin.adoc @@ -11,3 +11,5 @@ include::modules/authentication-api-impersonation.adoc[leveloffset=+1] include::modules/impersonation-system-admin-user.adoc[leveloffset=+1] include::modules/impersonation-system-admin-group.adoc[leveloffset=+1] + +include::modules/unauthenticated-users-cluster-role-binding.adoc[leveloffset=+1] \ No newline at end of file diff --git a/authentication/managing-oauth-access-tokens.adoc b/authentication/managing-oauth-access-tokens.adoc index 7995ff4dd3..6ad43641f0 100644 --- a/authentication/managing-oauth-access-tokens.adoc +++ b/authentication/managing-oauth-access-tokens.adoc @@ -16,3 +16,6 @@ include::modules/oauth-view-details-tokens.adoc[leveloffset=+1] // Deleting user-owned OAuth access tokens include::modules/oauth-delete-tokens.adoc[leveloffset=+1] + +// Adding unauthenticated groups to ClusterRoleBindings +include::modules/unauthenticated-users-cluster-role-binding.adoc[leveloffset=+1] diff --git a/authentication/tokens-scoping.adoc b/authentication/tokens-scoping.adoc index 291b44877b..71b1b0c789 100644 --- a/authentication/tokens-scoping.adoc +++ b/authentication/tokens-scoping.adoc @@ -7,3 +7,5 @@ include::_attributes/common-attributes.adoc[] toc::[] include::modules/tokens-scoping-about.adoc[leveloffset=+1] + +include::modules/unauthenticated-users-cluster-role-binding.adoc[leveloffset=+1] \ No newline at end of file diff --git a/authentication/using-rbac.adoc b/authentication/using-rbac.adoc index 3f31459865..410f11dd3d 100644 --- a/authentication/using-rbac.adoc +++ b/authentication/using-rbac.adoc @@ -42,3 +42,5 @@ endif::openshift-rosa[] ifdef::openshift-dedicated[] include::modules/osd-grant-admin-privileges.adoc[leveloffset=+1] endif::openshift-dedicated[] + +include::modules/unauthenticated-users-cluster-role-binding-con.adoc[leveloffset=+1] \ No newline at end of file diff --git a/cicd/builds/triggering-builds-build-hooks.adoc b/cicd/builds/triggering-builds-build-hooks.adoc index 123549e06b..d983cf5337 100644 --- a/cicd/builds/triggering-builds-build-hooks.adoc +++ b/cicd/builds/triggering-builds-build-hooks.adoc @@ -12,6 +12,13 @@ include::modules/builds-triggers.adoc[leveloffset=+1] include::modules/builds-webhook-triggers.adoc[leveloffset=+2] +include::modules/unauthenticated-users-system-webhook.adoc[leveloffset=+3] + +[role="_additional-resources"] +.Additional resources + +* xref:../../authentication/using-rbac.adoc#unauthenticated-users-cluster-role-bindings-concept_using-rbac[Cluster role bindings for unauthenticated groups] + include::modules/builds-using-github-webhooks.adoc[leveloffset=+3] include::modules/builds-using-gitlab-webhooks.adoc[leveloffset=+3] @@ -34,4 +41,4 @@ include::modules/builds-build-hooks.adoc[leveloffset=+1] include::modules/builds-configuring-post-commit-build-hooks.adoc[leveloffset=+2] -include::modules/builds-using-cli-post-commit-build-hooks.adoc[leveloffset=+2] +include::modules/builds-using-cli-post-commit-build-hooks.adoc[leveloffset=+2] \ No newline at end of file diff --git a/modules/builds-using-bitbucket-webhooks.adoc b/modules/builds-using-bitbucket-webhooks.adoc index 9bb97b275f..cbbd1718e6 100644 --- a/modules/builds-using-bitbucket-webhooks.adoc +++ b/modules/builds-using-bitbucket-webhooks.adoc @@ -24,6 +24,10 @@ The payload URL is returned as the Bitbucket Webhook URL by the `oc describe` co https:///apis/build.openshift.io/v1/namespaces//buildconfigs//webhooks//bitbucket ---- +.Prerequisites + +* `system:unauthenticated` has access to the `system:webhook` role in the required namespaces. Or, `system:unauthenticated` has access to the `system:webhook` cluster role. + .Procedure . Configure a Bitbucket Webhook. diff --git a/modules/builds-using-github-webhooks.adoc b/modules/builds-using-github-webhooks.adoc index fe2d3ed8bf..3dcab17b88 100644 --- a/modules/builds-using-github-webhooks.adoc +++ b/modules/builds-using-github-webhooks.adoc @@ -35,6 +35,7 @@ https:///apis/build.openshift.io/v1/namespaces//apis/build.openshift.io/v1/namespaces//buildconfigs//webhooks//gitlab ---- +.Prerequisites + +* `system:unauthenticated` has access to the `system:webhook` role in the required namespaces. Or, `system:unauthenticated` has access to the `system:webhook` cluster role. + .Procedure . Configure a GitLab Webhook. diff --git a/modules/unauthenticated-users-cluster-role-binding-con.adoc b/modules/unauthenticated-users-cluster-role-binding-con.adoc new file mode 100644 index 0000000000..bfbd6cc4a9 --- /dev/null +++ b/modules/unauthenticated-users-cluster-role-binding-con.adoc @@ -0,0 +1,29 @@ +// Module included in the following assemblies: +// +// * authentication/using-rbac.adoc +// * post_installation_configuration/preparing-for-users.adoc + +:_mod-docs-content-type: CONCEPT +[id="unauthenticated-users-cluster-role-bindings-concept_{context}"] += Cluster role bindings for unauthenticated groups + +[NOTE] +==== +Before {product-title} 4.16, unauthenticated groups were allowed access to some cluster roles. Clusters updated from versions before {product-title} 4.16 retain this access for unauthenticated groups. +==== + +For security reasons {product-title} {product-version} does not allow unauthenticated groups to have default access to cluster roles. + +There are use cases where it might be necessary to add `system:unauthenticated` to a cluster role. + +Cluster administrators can add unauthenticated users to the following cluster roles: + +* `system:scope-impersonation` +* `system:webhook` +* `system:oauth-token-deleter` +* `self-access-reviewer` + +[IMPORTANT] +==== +Always verify compliance with your organization's security standards when modifying unauthenticated access. +==== \ No newline at end of file diff --git a/modules/unauthenticated-users-cluster-role-binding.adoc b/modules/unauthenticated-users-cluster-role-binding.adoc new file mode 100644 index 0000000000..e93a827132 --- /dev/null +++ b/modules/unauthenticated-users-cluster-role-binding.adoc @@ -0,0 +1,57 @@ +// Module included in the following assemblies: +// +// * authentication/impersonating-system-admin.adoc +// * authentication/tokens-scoping.adoc +// * authentication/managing-oauth-access-tokens.adoc +// * post_installation_configuration/preparing-for-users.adoc + +:_mod-docs-content-type: PROCEDURE +[id="unauthenticated-users-cluster-role-bindings_{context}"] += Adding unauthenticated groups to cluster roles + +As a cluster administrator, you can add unauthenticated users to the following cluster roles in {product-title} by creating a cluster role binding. Unauthenticated users do not have access to non-public cluster roles. This should only be done in specific use cases when necessary. + +You can add unauthenticated users to the following cluster roles: + +* `system:scope-impersonation` +* `system:webhook` +* `system:oauth-token-deleter` +* `self-access-reviewer` + +[IMPORTANT] +==== +Always verify compliance with your organization's security standards when modifying unauthenticated access. +==== + +.Prerequisites + +* You have access to the cluster as a user with the `cluster-admin` role. +* You have installed the OpenShift CLI (`oc`). + +.Procedure + +. Create a YAML file named `add--unauth.yaml` and add the following content: ++ +[source,yaml] +---- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + name: access-unauthenticated +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:unauthenticated +---- +. Apply the configuration by running the following command: ++ +[source,terminal] +---- +$ oc apply -f add-.yaml +---- \ No newline at end of file diff --git a/modules/unauthenticated-users-system-webhook.adoc b/modules/unauthenticated-users-system-webhook.adoc new file mode 100644 index 0000000000..ced68af248 --- /dev/null +++ b/modules/unauthenticated-users-system-webhook.adoc @@ -0,0 +1,54 @@ +// Module included in the following assemblies: +// +// * cicd/builds/triggering-builds-build-hooks.adoc + +:_mod-docs-content-type: PROCEDURE +[id="unauthenticated-users-system-webhook_{context}"] += Adding unauthenticated users to the system:webhook role binding + +As a cluster administrator, you can add unauthenticated users to the `system:webhook` role binding in {product-title} for specific namespaces. The `system:webhook` role binding allows users to trigger builds from external systems that do not use an {product-title} authentication mechanism. Unauthenticated users do not have access to non-public role bindings by default. This is a change from {product-title} versions before 4.16. + +Adding unauthenticated users to the `system:webhook` role binding is required to successfully trigger builds from GitHub, GitLab, and Bitbucket. + +If it is necessary to allow unauthenticated users access to a cluster, you can do so by adding unauthenticated users to the `system:webhook` role binding in each required namespace. This method is more secure than adding unauthenticated users to the `system:webhook` cluster role binding. However, if you have a large number of namespaces, it is possible to add unauthenticated users to the `system:webhook` cluster role binding which would apply the change to all namespaces. + +[IMPORTANT] +==== +Always verify compliance with your organization's security standards when modifying unauthenticated access. +==== + +.Prerequisites + +* You have access to the cluster as a user with the `cluster-admin` role. +* You have installed the OpenShift CLI (`oc`). + +.Procedure + +. Create a YAML file named `add-webhooks-unauth.yaml` and add the following content: ++ +[source,yaml] +---- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + name: webhook-access-unauthenticated + namespace: <1> +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "system:webhook" +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: "system:unauthenticated" +---- +<1> The namespace of your `BuildConfig`. + +. Apply the configuration by running the following command: ++ +[source,terminal] +---- +$ oc apply -f add-webhooks-unauth.yaml +---- \ No newline at end of file diff --git a/post_installation_configuration/preparing-for-users.adoc b/post_installation_configuration/preparing-for-users.adoc index eef3771944..f9b7213492 100644 --- a/post_installation_configuration/preparing-for-users.adoc +++ b/post_installation_configuration/preparing-for-users.adoc @@ -114,6 +114,10 @@ include::modules/rbac-cluster-role-binding-commands.adoc[leveloffset=+2] include::modules/rbac-creating-cluster-admin.adoc[leveloffset=+2] endif::[] +include::modules/unauthenticated-users-cluster-role-binding-con.adoc[leveloffset=+2] + +include::modules/unauthenticated-users-cluster-role-binding.adoc[leveloffset=+2] + include::modules/authentication-kubeadmin.adoc[leveloffset=+1] include::modules/authentication-remove-kubeadmin.adoc[leveloffset=+2]