Introduction to Red Hat OpenShift Service on AWS (ROSA)

Bookmark this page
P12
PreviousNext

Chapter 2.  Configure a Red Hat OpenShift Service on AWS (ROSA) Cluster

Section Configure Developer Self-service for a ROSA Cluster
SectionObjectives
SectionConfigure User Access to Red Hat OpenShift Service on AWS (ROSA) Clusters
SectionCreate Service Accounts
Guided Exercise: Configure Developer Self-service for a ROSA Cluster
Connect a ROSA Cluster to Red Hat Services
Objectives
Manage OpenShift Clusters from the OpenShift Cluster Manager
Other Advantages of Registering Your Cluster by Using the Red Hat Pull Secret
Guided Exercise: Connect a ROSA Cluster to Red Hat Services
Summary

Abstract

Goal

Configure a Red Hat OpenShift Service on AWS (ROSA) cluster to be used for development purposes.

Objectives

  • Configure an identity provider that allows developers to access a managed cluster and self-service projects to deploy unprivileged applications.

  • Connect a managed cluster to Red Hat cloud services and enumerate the benefits.

Sections

  • Configure Developer Self-service for a ROSA Cluster (and Guided Exercise)

  • Connect a ROSA Cluster to Red Hat Services (and Guided Exercise)

Configure Developer Self-service for a ROSA Cluster

Objectives

  • Configure an identity provider that allows developers to access a managed cluster and self-service projects to deploy unprivileged applications.

Red Hat OpenShift uses identity providers (IdP) to validate the identity of users. An identity provider is a system that maintains user identities and offers authentication mechanisms for other services.

OpenShift supports several identity providers. The following lists includes the most common:

HTPasswd

Validates usernames and passwords against an OpenShift secret that stores credentials generated by using the htpasswd command.

Keystone

Enables shared authentication with an OpenStack Keystone v3 server.

LDAP

Configures the LDAP identity provider to validate usernames and passwords against an LDAPv3 server, using simple bind authentication. You can use that method for authenticating users against Red Hat Identity Management or Microsoft Active Directory.

GitHub or GitHub Enterprise

Configures a GitHub identity provider to validate usernames and passwords against GitHub or the GitHub Enterprise authentication server.

OpenID Connect

Integrates with an OpenID Connect identity provider that uses an Authorization Code Flow. You can use that method to authenticate against Red Hat Single Sign-On. Red Hat Single Sign-On provides web single sign-on (SSO) capabilities, complex password policies, two-factor authentication, and social log in to OpenShift and web applications.

Configure User Access to Red Hat OpenShift Service on AWS (ROSA) Clusters

Red Hat OpenShift Service on AWS (ROSA) supports the same identity providers as any other OpenShift solution.

Administrators often configure their on-premise OpenShift clusters to authenticate against their organization IdP system, such as Red Hat Identity Management or Microsoft Active Directory. In a similar fashion you can configure your ROSA clusters to authenticate against an IdP system that you deploy in your cloud infrastructure.

Specifically, Red Hat provides the Red Hat Single Sign-On Operator, which enables you to deploy Red Hat Single Sign-On in one of your ROSA clusters. You can then use that deployment as the IdP for a fleet of managed clusters.

You can configure several identity providers for a cluster. Users can select the IdP from the login page of the OpenShift web console.

Figure 2.1: Select an IdP for authenticating

Note

The Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster (DO280) and Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise (DO380) courses provide more details on configuring identity providers and granting administrator privileges to users.

Declare an Identity Provider

The OpenShift documentation provides instructions to configure identity providers for Red Hat OpenShift clusters. You can follow those instructions for your ROSA clusters

However, the rosa command provides the create idp subcommand, which guides you through the process.

Before you can use that rosa create idp command, ensure that you used the aws configure and rosa login commands to log in to your AWS account and to your Red Hat account.

Add the --cluster option to the rosa create idp command to specify your cluster name. By default, the command runs in interactive mode.

$ rosa create idp --cluster mycluster
I: Interactive mode enabled.
Any optional fields can be left empty and a default will be selected.
? Type of identity provider:  [Use arrows to move, type to filter]
> github
  gitlab
  google
  htpasswd
  ldap
  openid
? Identity provider name: GitHub-dev-org
...output omitted...

The name you choose for the identity provider, GitHub-dev-org in the preceding example, is the name that displays on the login page of the OpenShift web console.

Because not all the identity providers require the same parameters, the rosa create idp command adjusts the questions to the IdP type you select.

Some identity providers require additional configuration. For the GitHub IdP for example, you need to perform the following configuration in GitHub:

  • Create a GitHub Organization or a GitHub Team to group the GitHub users that are allowed to access your ROSA cluster.

  • Register your ROSA cluster as an OAuth application. The rosa create idp command guides you through that process.

You can run the rosa create idp command in automatic mode by specifying all the configuration parameters as command options. Run the rosa create idp --help command to list the available options.

You can also configure identity providers for your ROSA clusters from the Red Hat OpenShift Cluster Manager web console at https://console.redhat.com/openshift.

Important

ROSA automatically creates and configures the HTPasswd identity provider when you create the cluster-admin user account by using the rosa create admin command.

Red Hat does not support that identity provider for any other purpose. In other words, do not use the HTPasswd identity provider for authenticating your users in production environments.

Grant Cluster Administration and Dedicated Administration Rights

The users that log in to your OpenShift cluster through an IdP have a self-service developer profile by default. They can create projects to deploy unprivileged applications. As an administrator, you can use the standard OpenShift Role-based Access Control (RBAC) mechanism to grant them additional permissions.

ROSA creates two groups that you can use to grant privileges to some users:

  • The cluster-admins group grants full access to your OpenShift cluster. Although some protections are in place to prevent you from damaging your cluster, Red Hat recommends that you limit the number of users with that role.

  • The dedicated-admins group grants its members permissions to manage user-created projects. Users in that group can access most the cluster resources, such as the core projects or the cluster operators, but cannot modify or delete them.

To facilitate adding users to these groups, you can use the rosa grant user command.

To add a user to the cluster-admins group, run the following command:

$ rosa grant user cluster-admin --user myuser --cluster mycluster

To remove the user from the cluster-admins group, run the following command:

$ rosa revoke user cluster-admin --user myuser --cluster mycluster

To add a user to the dedicated-admins group, run the following command:

$ rosa grant user dedicated-admin --user myuser --cluster mycluster

To remove the user from the dedicated-admins group, run the following command:

$ rosa revoke user dedicated-admin --user myuser --cluster mycluster

Note

A user cannot belong to the cluster-admins and the dedicated-admins groups at the same time.

Create Service Accounts

Some applications might need access to your OpenShift cluster. For example, external workflow managers, such as ServiceNow or a CI/CD pipeline, use the OpenShift API to deploy applications on behalf of developers. These applications need to authenticate with OpenShift to perform their operations.

To preserve the integrity of a regular user's credentials, service accounts are used instead. Service accounts enable you to control API access without the need to borrow a regular user's credentials.

As a cluster administrator, you can create a service account by using the oc create serviceaccount command:

$ oc create serviceaccount my-service-account

You can grant the service account some access to your cluster. The following command grants the self-provisioner cluster role to the service account. With that role, the service account can create projects and manage resources in these projects.

$ oc adm policy add-cluster-role-to-user self-provisioner -z my-service-account

The service account authenticates with the API by using an access token. You can generate a temporary token by using the oc create token command. By default, the token expires after one hour but you can provide the --duration option to specify a different expiration period.

$ oc create token my-service-account --duration 2h
eyJh...PVqM

If you need a token that does not expire, then use the token that OpenShift automatically creates when you create the service account. OpenShift stores this token in a secret object. Use the oc describe serviceaccount command to retrieve the name of the OpenShift secret.

$ oc describe serviceaccount my-service-account
Name:                my-service-account
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  my-service-account-dockercfg-7x4qp
Mountable secrets:   my-service-account-dockercfg-7x4qp
Tokens:              my-service-account-token-hfdks
Events:              <none>

Use the oc describe secret command to retrieve the token.

$ oc describe secret my-service-account-token-hfdks
...output omitted...
Data
====
token:           eyJh...IH4c
...output omitted...

You can use this token to configure the application that needs access to the OpenShift API.

To test the authentication, use the oc login command and provide the token by using the --token option:

$ oc login --token eyJh...IH4c
Logged into "https://api.mycluster.myawsdomain:6443" as "system:serviceaccount:default:my-service-account" using the token provided.

You don't have any projects. You can try to create a new project, by running

    oc new-project <projectname>

References

Knowledgebase: "Getting the authentication token for an Service Account in OCP"

For more information about the Red Hat Single Sign-On Operator, refer to the Red Hat Single Sign-On Operator chapter in the Red Hat Single Sign-On 7.6 Server Installation and Configuration Guide at https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/server_installation_and_configuration_guide/index#operator

For more information about the identity providers, refer to the Configuring Identity Providers chapter in the Red Hat OpenShift Container Platform 4.11 Authentication and Authorization documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html-single/authentication_and_authorization/index#configuring-identity-providers

For more information about RBAC, refer to the Using RBAC to Define and Apply Permissions chapter in the Red Hat OpenShift Container Platform 4.11 Authentication and Authorization documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html-single/authentication_and_authorization/index#using-rbac

For more information about identity providers in ROSA, refer to the Configuring Identity Providers for STS chapter in the Red Hat OpenShift Service on AWS 4 Installing, Accessing, and Deleting ROSA Clusters documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws/4/html-single/installing_accessing_and_deleting_rosa_clusters/index#rosa-sts-config-identity-providers

PreviousNext
Revision: do120-4.11-db7a8ed