openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
20a0bafa76384ccfa1824293afc2c00b5b5930e5
openshift-docs/modules/unauthenticated-users-system-webhook.adoc
Janelle Neczypor a92c18d4c2 OSDOCS-14492
2025-09-17 17:50:39 +00:00

61 lines
2.4 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * cicd/builds/triggering-builds-build-hooks.adoc
:_mod-docs-content-type: PROCEDURE
[id="unauthenticated-users-system-webhook_{context}"]
= Adding unauthenticated users to the system:webhook role binding
As a cluster administrator, you can add unauthenticated users to the `system:webhook` role binding in {product-title} for specific namespaces. The `system:webhook` role binding allows users to trigger builds from external systems that do not use
ifndef::openshift-rosa,openshift-rosa-hcp[]
an {product-title}
endif::openshift-rosa,openshift-rosa-hcp[]
ifndef::openshift-rosa,openshift-rosa-hcp[]
a {product-title}
endif::openshift-rosa,openshift-rosa-hcp[]
authentication mechanism. Unauthenticated users do not have access to non-public role bindings by default. This is a change from {product-title} versions before 4.16.
Adding unauthenticated users to the `system:webhook` role binding is required to successfully trigger builds from GitHub, GitLab, and Bitbucket.
If it is necessary to allow unauthenticated users access to a cluster, you can do so by adding unauthenticated users to the `system:webhook` role binding in each required namespace. This method is more secure than adding unauthenticated users to the `system:webhook` cluster role binding. However, if you have a large number of namespaces, it is possible to add unauthenticated users to the `system:webhook` cluster role binding which would apply the change to all namespaces.
[IMPORTANT]
====
Always verify compliance with your organization's security standards when modifying unauthenticated access.
====
.Prerequisites
* You have access to the cluster as a user with the `cluster-admin` role.
* You have installed the OpenShift CLI (`oc`).
.Procedure
. Create a YAML file named `add-webhooks-unauth.yaml` and add the following content:
+
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
name: webhook-access-unauthenticated
namespace: <namespace> <1>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "system:webhook"
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: "system:unauthenticated"
----
<1> The namespace of your `BuildConfig`.
. Apply the configuration by running the following command:
+
[source,terminal]
----
$ oc apply -f add-webhooks-unauth.yaml
----
View Git Blame Copy Permalink