mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-07 09:46:53 +01:00
57 lines
2.3 KiB
Plaintext
57 lines
2.3 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * service_mesh/v1x/installing-ossm.adoc
|
|
// * service_mesh/v2x/installing-ossm.adoc
|
|
|
|
[id="ossm-members_{context}"]
|
|
= Creating the {SMProductName} members
|
|
|
|
`ServiceMeshMember` resources provide a way for {SMProductName} administrators to delegate permissions to add projects to a service mesh, even when the respective users do not have direct access to the service mesh project or member roll. While project administrators are automatically given permission to create the `ServiceMeshMember` resource in their project, they cannot point it to any `ServiceMeshControlPlane` until the service mesh administrator explicitly grants access to the service mesh. Administrators can grant users permissions to access the mesh by granting them the `mesh-user` user role. In this example, `istio-system` is the name of the {SMProductShortName} control plane project.
|
|
|
|
[source,terminal]
|
|
----
|
|
$ oc policy add-role-to-user -n istio-system --role-namespace istio-system mesh-user <user_name>
|
|
----
|
|
|
|
Administrators can modify the `mesh-user` role binding in the {SMProductShortName} control plane project to specify the users and groups that are granted access. The `ServiceMeshMember` adds the project to the `ServiceMeshMemberRoll` within the {SMProductShortName} control plane project that it references.
|
|
|
|
[source,yaml]
|
|
----
|
|
apiVersion: maistra.io/v1
|
|
kind: ServiceMeshMember
|
|
metadata:
|
|
name: default
|
|
spec:
|
|
controlPlaneRef:
|
|
namespace: istio-system
|
|
name: basic
|
|
----
|
|
|
|
The `mesh-users` role binding is created automatically after the administrator creates the `ServiceMeshControlPlane` resource. An administrator can use the following command to add a role to a user.
|
|
|
|
[source,terminal]
|
|
----
|
|
$ oc policy add-role-to-user
|
|
----
|
|
|
|
The administrator can also create the `mesh-user` role binding before the administrator creates the `ServiceMeshControlPlane` resource. For example, the administrator can create it in the same `oc apply` operation as the `ServiceMeshControlPlane` resource.
|
|
|
|
This example adds a role binding for `alice`:
|
|
|
|
[source,yaml]
|
|
----
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
namespace: istio-system
|
|
name: mesh-users
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: mesh-user
|
|
subjects:
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
kind: User
|
|
name: alice
|
|
----
|