openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/disabling-project-self-provisioning.adoc
Michael Burke 6062fec7b5 Applications docs fixes during ROSA review
2024-03-15 12:39:37 +00:00

101 lines
2.8 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * applications/projects/configuring-project-creation.adoc
:_mod-docs-content-type: PROCEDURE
[id="disabling-project-self-provisioning_{context}"]
= Disabling project self-provisioning
You can prevent an authenticated user group from self-provisioning new projects.
.Procedure
. Log in as a user with `cluster-admin` privileges.
. View the `self-provisioners` cluster role binding usage by running the following command:
+
[source,terminal]
----
$ oc describe clusterrolebinding.rbac self-provisioners
----
+
.Example output
[source,terminal]
----
Name: self-provisioners
Labels: <none>
Annotations: rbac.authorization.kubernetes.io/autoupdate=true
Role:
Kind: ClusterRole
Name: self-provisioner
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:authenticated:oauth
----
+
Review the subjects in the `self-provisioners` section.
. Remove the `self-provisioner` cluster role from the group `system:authenticated:oauth`.
** If the `self-provisioners` cluster role binding binds only the `self-provisioner` role to the `system:authenticated:oauth` group, run the following command:
+
[source,terminal]
----
$ oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'
----
** If the `self-provisioners` cluster role binding binds the `self-provisioner` role to more users, groups, or service accounts than the `system:authenticated:oauth` group, run the following command:
+
[source,terminal]
----
$ oc adm policy \
remove-cluster-role-from-group self-provisioner \
system:authenticated:oauth
----
. Edit the `self-provisioners` cluster role binding to prevent automatic updates to the role. Automatic updates reset the cluster roles to the default state.
** To update the role binding using the CLI:
... Run the following command:
+
[source,terminal]
----
$ oc edit clusterrolebinding.rbac self-provisioners
----
... In the displayed role binding, set the `rbac.authorization.kubernetes.io/autoupdate` parameter value to `false`, as shown in the following example:
+
[source,yaml]
----
apiVersion: authorization.openshift.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "false"
# ...
----
** To update the role binding by using a single command:
+
[source,terminal]
----
$ oc patch clusterrolebinding.rbac self-provisioners -p '{ "metadata": { "annotations": { "rbac.authorization.kubernetes.io/autoupdate": "false" } } }'
----
. Log in as an authenticated user and verify that it can no longer self-provision a project:
+
[source,terminal]
----
$ oc new-project test
----
+
.Example output
[source,terminal]
----
Error from server (Forbidden): You may not request a new project via this API.
----
+
Consider customizing this project request message to provide more helpful instructions specific to your organization.
View Git Blame Copy Permalink