openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/olmv1-granting-user-access-aggregated.adoc
Alex Dellapenta 8e6c4886e9 Granting user access to OLMv1 extension resources
2025-02-10 16:05:09 +00:00

66 lines
2.3 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * extensions/ce/user-access-resources.adoc
:_mod-docs-content-type: PROCEDURE
[id="olmv1-granting-user-access-aggregated_{context}"]
= Granting user access to extension resources by using aggregated cluster roles
As a cluster administrator, you can configure role-based access control (RBAC) policies to grant user access to extension resources by using aggregated cluster roles.
To automatically extend existing default cluster roles, you can add _aggregation labels_ by adding one or more of the following labels to a `ClusterRole` object:
.Aggregation labels in a `ClusterRole` object
[source,yaml]
----
# ..
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
# ..
----
This allows users who already have `view`, `edit`, or `admin` roles to interact with the custom resource specified by the `ClusterRole` object without requiring additional role or cluster role bindings to specific users or groups.
.Prerequisites
* A cluster extension has been installed on your cluster.
* You have a list of API groups and resource names, as described in "Finding API groups and resources exposed by a cluster extension".
.Procedure
. Create an object definition for a cluster role that specifies the API groups and resources provided by the cluster extension and add an aggregation label to extend one or more existing default cluster roles:
+
.Example `ClusterRole` object with an aggregation label
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: view-custom-resource-aggregated
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- <cluster_extension_api_group>
resources:
- <cluster_extension_custom_resource>
verbs:
- get
- list
- watch
----
+
You can create similar `ClusterRole` objects for `edit` and `admin` with appropriate verbs, such as `create`, `update`, and `delete`. By using aggregation labels, the permissions for the custom resources are added to the default roles.
. Save your object definition to a YAML file.
. Create the object by running the following command:
+
[source,terminal]
----
$ oc create -f <filename>.yaml
----
View Git Blame Copy Permalink