Prevent users from creating projects in OpenShift / OKD clusters

Ranch
You can support us by downloading this article in PDF format via the link below.

Download the guide as a PDF

turn off
Ranch

Ranch
Ranch

If you have a newly created OpenShift / OKD Kubernetes cluster, users can create projects / namespaces by default without consulting the Cluster Administrator. In most settings, you will want to disable this feature to ensure that cluster computing resources are not abused. It also enables developers to follow the correct process to deploy applications to an OpenShift cluster environment.

In this guide, we will discuss how to disable logged-in users from creating projects themselves. Instead, they see a message telling them to email the relevant team to create the project and grant them permission to use the project.

You should have a working OpenShift container environment to follow this guide. Check out the guide on how to create an OpenShift cluster:

Set up a local OpenShift 4 cluster with a CodeReady container

How to set up a local OpenShift Origin (OKD) cluster on CentOS 7

How to run a local Openshift cluster using Minishift

Disable project self-configuration on OpenShift

First, use the following command to see the usage of self-vendor cluster role bindings.

$ oc describe clusterrolebinding.rbac self-provisioners

----
Name:         self-provisioners
Labels:       
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
Role:
  Kind:  ClusterRole
  Name:  self-provisioner
Subjects:
  Kind   Name                        Namespace
  ----   ----                        ---------
  Group  system:authenticated:oauth

We need to delete Self-configuration Cluster role in group system: Certified: oauth:

 oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'

You should get the following output:

clusterrolebinding.rbac.authorization.k8s.io/self-provisioners patched

If the self-configurator cluster role binding binds the self-configurator role to more users, groups or service accounts than the system: authenticated: oauth group, run the following command:

 oc adm policy 
    remove-cluster-role-from-group self-provisioner 
    system:authenticated:oauth

You can apply the patch directly using:

oc patch clusterrolebinding.rbac self-provisioners -p '{ "metadata": { "annotations": { "rbac.authorization.kubernetes.io/autoupdate": "false" } } }'

Confirm the contents of the self-configuring cluster role binding:

oc edit clusterrolebinding.rbac self-provisioners

The value should now be set to false.

.....
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "false"
.....

Log in as an authenticated user and confirm that it is no longer able to configure the project on its own:

$ oc new-project test
Error from server (Forbidden): You may not request a new project via this API.

Customize project request messages on OpenShift

We need to customize the messages that OpenShift users will receive when they try to create a project from the CLI or the web console.

From CLI

Log in as a user with cluster-admin privileges and edit the project.config.openshift.io/cluster resource:

$ oc edit project.config.openshift.io/cluster

Update the projectRequestMessage parameter with the value of your custom message:

projectRequestMessage: "To request a project, contact OpenShift Admin Team at [email protected]eks.com."

From the web dashboard

Open the OpenShift web console and navigate to managementCluster setup page.

Please click Global configuration View all configuration resources.

Find the following entries Project

Click on YAML Edit it.

projectRequestMessage: "To request a project, contact OpenShift Admin Team at [email protected]"

After saving changes. Users can try to create a new project as a developer or service account without the request passing. The user will receive the custom message we just set up.

More information on OpenShift and Kubernetes:

Ceph persistent storage with Kubernetes using Cephfs

Kubernetes persistent storage using Ceph RBD

Top minimal container operating system running Kubernetes

How to install Kubernetes dashboard with NodePort

How to create an admin user to access Kubernetes dashboard

Ranch
You can support us by downloading this article in PDF format via the link below.

Download the guide as a PDF

turn off
Ranch

Ranch
Ranch

Related Posts