Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-173

NoN cluster-admin User configuration

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • Major
    • OSSM 1.1.0
    • None
    • None
    • Service Mesh 1.1.0

    Description

      In Kiali documentation we need to have a section about usage of non cluster-admin user in Kiali , which can have view only access to given namespaces only.

      For a "foo" user to have view only access only to bookinfo namespace, we need to do:

      1. Create "maistra-admin" ClusterRole and ClusterRoleBinding.
        For instance with the below mentioned rules: 
        apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: maistra-admin
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["maistra.io"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["config.istio.io"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["networking.istio.io"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["authentication.istio.io"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["rbac.istio.io"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["authentication.maistra.io"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["rbac.maistra.io"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["security.istio.io"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: maistra-admin
roleRef:
  kind: ClusterRole
  apiGroup: rbac.authorization.k8s.io
  name: maistra-admin
      1. Assign created 'maistra-admin' role to necessary OpenShift Cluster user on the necessary namespace.
        For 'foo' user on bookinfo namespace. 
        oc adm policy add-role-to-user maistra-admin foo -n bookinfo

        Otherwise if this step is not done, the view only 'foo' user on Kiali side will face the linked OSSM issues.

      2. Add 'view' role to user on particular namespace.
        For instance giving 'view' access to user 'foo' on bookinfo namespace: 
        oc adm policy add-role-to-user admin foo -n bookinfo

      Attachments

        Issue Links

          is blocked by

          Task - Represents a small unit of work that is not end-user facing. MAISTRA-1295 Ensure permissions for istio.io resources are added to project role bindings

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is caused by

          Bug - A problem that impairs or prevents the functions of the product. OSSM-169 Kiali: Could not fetch Service Details for View only "foo" user

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. OSSM-170 Kiali: Could not fetch Istio objects list for admin "foo" user

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. OSSM-171 Kiali: Overview page - Repetitive Error Noifications for View only "foo" user

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. OSSM-172 Kiali: Could not fetch Istio objects list: Gateway Time-out - View only "foo" user

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              rcernich1 Rob Cernich
              hhovsepy@redhat.com Hayk Hovsepyan
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: