Disable project self-provisioning on OpenShift 4
This guide describes how to remove permission for users to self-provision projects on OpenShift 4 clusters. It’s based on this OpenShift documentation.
|
The self-provisioners can also be managed by the openshift4-authentication component. |
Procedure
To disable self-provisioning, patch the self-provisioners CRB with the following ManagedResource (for example via adhoc-configurations):
apiVersion: v1
kind: ServiceAccount
metadata:
name: remove-self-provisioning
namespace: syn-espejote
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: remove-self-provisioning
rules:
- apiGroups:
- ""
- project.openshift.io
resources:
- projectrequests
verbs:
- create
- apiGroups:
- rbac.authorization.k8s.io
resourceNames:
- self-provisioners
resources:
- clusterrolebindings
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: remove-self-provisioning
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: remove-self-provisioning
subjects:
- kind: ServiceAccount
name: remove-self-provisioning
namespace: syn-espejote
---
apiVersion: espejote.io/v1alpha1
kind: ManagedResource
metadata:
name: remove-self-provisioning
namespace: syn-espejote
spec:
applyOptions:
force: true
serviceAccountRef:
name: remove-self-provisioning
template: |-
{
"apiVersion": "rbac.authorization.k8s.io/v1",
"kind": "ClusterRoleBinding",
"metadata": {
"name": "self-provisioners"
},
"subjects": []
}
triggers:
- name: clusterrolebinding
watchResource:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
name: self-provisionersRoll out this patch and verify it applies. This disables self-provisioning for general authenticated users.