DO280 - ch03s05

Bookmark this page

Lab: Authentication and Authorization

Configure the HTPasswd identity provider, create groups, and assign roles to users and groups.

Outcomes

Create users and passwords for HTPasswd authentication.
Configure the identity provider for HTPasswd authentication.
Assign cluster administration rights to users.
Remove the ability to create projects at the cluster level.
Create groups and add users to groups.
Manage user privileges in projects by granting privileges to groups.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

[student@workstation ~]$ lab start auth-review

The command ensures that the cluster API is reachable, and that the cluster uses the initial lab authentication settings.

Instructions

Update the existing ~/DO280/labs/auth-review/tmp_users HTPasswd authentication file to remove the analyst user. Ensure that the tester and leader users in the file use the L@bR3v!ew password. Add two entries to the file for the new_admin and new_developer users. Use the L@bR3v!ew password for each new user.
Remove the analyst user from the ~/DO280/labs/auth-review/tmp_users HTPasswd authentication file.
[student@workstation ~]$ htpasswd -D ~/DO280/labs/auth-review/tmp_users analyst Deleting password for user analyst
Update the entries for the tester and leader users to use the L@bR3v!ew password. Add entries for the new_admin and new_developer users with the L@bR3v!ew password.
[student@workstation ~]$ for NAME in tester leader new_admin new_developer ; \ do \ htpasswd -b ~/DO280/labs/auth-review/tmp_users ${NAME} 'L@bR3v!ew' ; \ done Updating password for user tester Updating password for user leader Adding password for user new_admin Adding password for user new_developer
Review the contents of the ~/DO280/labs/auth-review/tmp_users file. This file does not contain a line for the analyst user. The file includes two new entries with hashed passwords for the new_admin and new_developer users.
[student@workstation ~]$ cat ~/DO280/labs/auth-review/tmp_users tester:$apr1$EyWSDib4$uLoUMpwohNWUrU5L5ogkB/ leader:$apr1$/O8SyNdp$gjr.P7FMJbK2IebFU0QQn/ new_admin:$apr1$M5WHRPR2$GbGDkTK8QTrW2S/f2/1Kt1 new_developer:$apr1$dXdG8tWd$N8HA0SUe3TbqAhI049gOH0
Log in to your OpenShift cluster as the admin user with the redhatocp password. Configure your cluster to use the HTPasswd identity provider by using the defined user names and passwords in the ~/DO280/labs/auth-review/tmp_users file. For grading, use the auth-review name for the secret.
Log in to the cluster as the admin user.
[student@workstation ~]$ oc login -u admin -p redhatocp \ https://api.ocp4.example.com:6443 Login successful. ...output omitted...
Create an auth-review secret by using the ~/DO280/labs/auth-review/tmp_users file.
[student@workstation ~]$ oc create secret generic auth-review \ --from-file htpasswd=/home/student/DO280/labs/auth-review/tmp_users \ -n openshift-config secret/auth-review created
Export the existing OAuth resource to ~/DO280/labs/auth-review/oauth.yaml.
[student@workstation ~]$ oc get oauth cluster \ -o yaml > ~/DO280/labs/auth-review/oauth.yaml
Edit the ~/DO280/labs/auth-review/oauth.yaml file to add an identity provider by including the lines from the following example that are displayed in bold. Ensure that the htpasswd, mappingMethod, name, and type strings are at the same indentation level.
apiVersion: config.openshift.io/v1 kind: OAuth ...output omitted... spec: identityProviders: - ldap: ...output omitted... type: LDAP - htpasswd: fileData: name: auth-review mappingMethod: claim name: htpasswd type: HTPasswd
Note
For convenience, the ~/DO280/solutions/auth-review/oauth.yaml file contains a minimal version of the OAuth configuration with the specified customizations.
Apply the customized resource that you defined in the previous step.
[student@workstation ~]$ oc replace -f ~/DO280/labs/auth-review/oauth.yaml oauth.config.openshift.io/cluster replaced
A successful update to the oauth/cluster resource re-creates the oauth-openshift pods in the openshift-authentication namespace.
[student@workstation ~]$ watch oc get pods -n openshift-authentication
Wait until the new oauth-openshift pods are ready and running, and the previous pods have terminated.
Every 2.0s: oc get pods -n openshift-authentication ... NAME READY STATUS RESTARTS AGE oauth-openshift-68d6f666fd-z746p 1/1 Running 0 42s
Press Ctrl+C to exit the watch command.
Note
Pods in the openshift-authentication namespace redeploy when the oc replace command succeeds.
In this exercise, changes to authentication might require a few minutes to apply.
You can examine the status of pods and deployments in the openshift-authentication namespace to monitor the authentication status. You can also examine the authentication cluster operator for further status information.
Provided that the previously created secret was created correctly, you can log in by using the HTPasswd identity provider.
Make the new_admin user a cluster administrator. Log in as both the new_admin and new_developer users to verify HTPasswd user configuration and cluster privileges.
Assign the new_admin user the cluster-admin role.
[student@workstation ~]$ oc adm policy add-cluster-role-to-user \ cluster-admin new_admin Warning: User 'new_admin' not found clusterrole.rbac.authorization.k8s.io/cluster-admin added: "new_admin"
Note
You can safely ignore the warning that the new_admin user is not found.
Log in to the cluster as the new_admin user to verify that HTPasswd authentication is configured correctly.
[student@workstation ~]$ oc login -u new_admin -p 'L@bR3v!ew' Login successful. ...output omitted...
Use the oc get nodes command to verify that the new_admin user has the cluster-admin role. The names of the nodes from your cluster might be different.
[student@workstation ~]$ oc get nodes NAME STATUS ROLES AGE VERSION master01 Ready control-plane,master,worker 14d v1.27.6+f67aeb3
Log in to the cluster as the new_developer user to verify that the HTPasswd authentication is configured correctly.
[student@workstation ~]$ oc login -u new_developer -p 'L@bR3v!ew' Login successful. ...output omitted...
Use the oc get nodes command to verify that the new_developer user does not have cluster administration privileges.
[student@workstation ~]$ oc get nodes Error from server (Forbidden): nodes is forbidden: User "new_developer" cannot list resource "nodes" in API group "" at the cluster scope

As the new_admin user, prevent users from creating projects in the cluster.

[student@workstation ~]$ oc login -u new_admin -p 'L@bR3v!ew'
Login successful.

...output omitted...

Remove the self-provisioner cluster role from the system:authenticated:oauth virtual group.

[student@workstation ~]$ oc adm policy remove-cluster-role-from-group  \
    self-provisioner system:authenticated:oauth
Warning: Your changes may get lost whenever a master is restarted, unless you prevent reconciliation of this rolebinding using the following command: oc annotate clusterrolebinding.rbac self-provisioners 'rbac.authorization.kubernetes.io/autoupdate=false' --overwrite
clusterrole.rbac.authorization.k8s.io/self-provisioner removed: "system:authenticated:oauth"

Note

You can safely ignore the warning about your changes being lost.

Create a managers group, and add the leader user to the group. Grant project creation privileges to the managers group. As the leader user, create the auth-review project.

Create a managers group.

[student@workstation ~]$ oc adm groups new managers
group.user.openshift.io/managers created

Add the leader user to the managers group.

[student@workstation ~]$ oc adm groups add-users managers leader
group.user.openshift.io/managers added: "leader"

Assign the self-provisioner cluster role to the managers group.

[student@workstation ~]$ oc adm policy add-cluster-role-to-group  \
    self-provisioner managers
clusterrole.rbac.authorization.k8s.io/self-provisioner added: "managers"

As the leader user, create the auth-review project.

[student@workstation ~]$ oc login -u leader -p 'L@bR3v!ew'
Login successful.

...output omitted...

The user who creates a project is automatically assigned the admin role on the project.

[student@workstation ~]$ oc new-project auth-review
Now using project "auth-review" on server "https://api.ocp4.example.com:6443".

...output omitted...

Create a developers group and grant edit privileges on the auth-review project. Add the new_developer user to the group.

[student@workstation ~]$ oc login -u new_admin -p 'L@bR3v!ew'
Login successful.

...output omitted...

Create a developers group.

[student@workstation ~]$ oc adm groups new developers
group.user.openshift.io/developers created

Add the new_developer user to the developers group.

[student@workstation ~]$ oc adm groups add-users developers new_developer
group.user.openshift.io/developers added: "new_developer"

Grant edit privileges to the developers group on the auth-review project.

[student@workstation ~]$ oc policy add-role-to-group edit developers
clusterrole.rbac.authorization.k8s.io/edit added: "developers"

Create a qa group and grant view privileges on the auth-review project. Add the tester user to the group.

Create a qa group.

[student@workstation ~]$ oc adm groups new qa
group.user.openshift.io/qa created

Add the tester user to the qa group.

[student@workstation ~]$ oc adm groups add-users qa tester
group.user.openshift.io/qa added: "tester"

Grant view privileges to the qa group on the auth-review project.

[student@workstation ~]$ oc policy add-role-to-group view qa
clusterrole.rbac.authorization.k8s.io/view added: "qa"

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade auth-review

Finish

As the student user on the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish auth-review

Discuss Red Hat OpenShift Administration II: Configuring a Production Cluster

Go to community

Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster (DO280)

Haley_Ruccio

26 lip 2023

Configure, manage, and troubleshoot OpenShift clusters and containerized applicationsRed Hat OpenShift Administration II: Operating a Production Kubernetes Cluster (DO280) prepares OpenShift Cluster Administrators to perform daily administration tasks on clusters that host applications provided by internal teams and external vendors, enable self-service for cluster users with different roles, and deploy applications that require special permissions such as such as CI/CD tooling, performance monitoring, and security scanners. This course focuses on configuring multi-tenancy and security features of OpenShift as well as managing OpenShift add-ons based on operators.The skills you learn in this course can be applied using all versions of OpenShift, including Red Hat OpenShift on AWS (ROSA), Azure Red Hat OpenShift, and OpenShift Container Platform.This course is based on OpenShift Container Platform 4.12.5-10 Course TopicsDeploying packaged applications using manifests, templates, kustomize, and helm.Configuring authentication and authorization for users and applications.Protecting network traffic with network policies and exposing applications with proper network access.Deploying and managing applications using resources manifests.Enabling developer self-service of application projects.Managing OpenShift cluster updates and Kubernetes operator updates.Target AudienceSystem Administrators and Platform Operators interested in the ongoing management of OpenShift clusters, applications, users, and add-ons.Site Reliability Engineers interested in the ongoing maintenance and troubleshooting of Kubernetes clusters.System and Software Architects interested in understanding the security of an OpenShift cluster.Recommended TrainingTake our free assessment to gauge whether this offering is the best fit for your skills.Prerequisite: Red Hat OpenShift I: Containers & Kubernetes (DO180 v4.12), or equivalent skills deploying and managing Kubernetes applications using the OpenShift web console and command-line interfaces.Technology considerationsThis course requires internet access to access the cloud-based classroom environment that provides an OpenShift cluster and a remote administrator’s workstation.

476

About pod security standards and warnings

alexcorcoles

17 kwi 2023

(This material has been created with the inputs of instructors and other people. We are trying to get this material published as soon as possible to address some concerns with DO180 and DO280.)With the default configuration, any namespace that you create on OpenShift 4.12 has the following labels: pod-security.kubernetes.io/audit: restrictedpod-security.kubernetes.io/audit-version: v1.24pod-security.kubernetes.io/warn: restrictedpod-security.kubernetes.io/warn-version: v1.24 These labels activate auditing and warning of the restricted pod security standard. The Kubernetes documentation describes the restricted pod security standard. Pod security standards such as restricted are not directly related to security context constraints such as the restricted SCC.Kubernetes uses an admission controller to reject pods that do not comply with pod security standards. An admission controller is a Kubernetes component that inspects every Kubernetes resource before its creation, and acts before Kubernetes creates the resource. This action can include rejecting the creation of the resource, or modifying the resource.The pod security standards are policies that include properties that workloads must follow. For example, the restricted standard requires that containers set the securityContext.allowPrivilegeEscalation field to false.Pod security standards apply both to workloads, such as deployments and jobs, and to pods.When a pod is created, the admission controller inspects the container specifications and enumerates the fields that violate the pod security standard of the namespace. The admission controller inspects the pod-security labels in the namespace to decide which pod security standard to apply (restricted, baseline, or privileged), and which action to take on violations. Namespaces can audit, warn, or enforce pod security standard violations. When the pod-security.kubernetes.io/audit annotation is set to restricted, the admission controller prevents the creation of pods that violate the security standard. When the pod-security.kubernetes.io/audit and pod-security.kubernetes.io/warn annotations are defined in the project, the admission controller does not block the creation of pods, but registers audit events or warnings.The admission controller does not enforce pod security standards for workloads. If the namespace is configured to enforce a pod security standard, then you can create a violating workload. The admission controller enforces only pod security policies on pods.Cluster administrators can use pod security standards to ensure that pods and workloads in namespaces limit their privileges. By limiting privileges, cluster administrators can mitigate what malicious pods can do.The default configuration of user namespaces in OpenShift does not restrict any workload; it only notifies users when they create workloads that do not follow pod security standards that might be enforced in future OpenShift versions.Security Context ConstraintsOpenShift introduced security context constraints (SCC) before the introduction of pod security standards in Kubernetes. SCCs automatically make security modifications to pods when they are created. By default, the system:openshift:scc:restricted-v2 cluster role binding applies to all authenticated users, so regular user workloads use the restricted-v2 SCC. For example, when you execute the following command to create a workload without any security configuration, the SCC adds security configuration to the pods: [user@host ~]$ oc create deployment test --image registry.ocp4.example.com:8443/redhattraining/hello-world-nginx (You can add the --dry-run=client -o yaml options to view the deployment manifest. The deployment manifest does not contain the security properties, which are described later.)If you inspect the pods that the deployment created, the SCC makes the following changes: [user@host ~]$ oc get pod test-b8d5658b6-7bxfs -o yamlapiVersion: v1kind: Podmetadata: annotations:... output omitted... openshift.io/scc: restricted-v2 seccomp.security.alpha.kubernetes.io/pod: runtime/default...output omitted...spec: containers: - image: registry.ocp4.example.com:8443/redhattraining/hello-world-nginx imagePullPolicy: Always name: hello-world-nginx resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true runAsUser: 1000690000... output omitted... securityContext: fsGroup: 1000690000 seLinuxOptions: level: s0:c26,c20 seccompProfile: type: RuntimeDefault... output omitted... These restrictions satisfy the restricted pod security policy.The result of these defaults means that when creating a workload (such as a deployment) in a namespace without any customization, the restricted pod security standard applies, but the admission controller only warns and audits. If the workload does not satisfy the pod security standard, then the admission controller allows the workload to be created, but prints a message such as the following warning: Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "example" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "example" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "database" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "example" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") However, by default Kubernetes creates the deployment pods with the restricted-v2 SCC, with the restrictions that the previous warning included. Due to the following factors, workloads generate only a warning, and the pod security standard admission controller allows their pods:The pod security standard admission controller never enforces pod security standards on workloads (only on pods).By default, namespaces do not enforce pod security standards on pods.By default, regular workloads create pods by using the restricted-v2 SCC, which satisfies the restricted pod security standard.Even if future versions of OpenShift change the default namespace configuration to enforce the restricted pod security standard, users will continue to be able to create workloads without explicitly declaring the restrictions that the pod security standard requires, because the restricted-v2 SCC will apply such restrictions automatically.You can take the following approaches to handling pod security:For most workloads, the restricted-v2 SCC limits pod privileges adequately. When creating a workload, you receive the warning, but the workload creates pods and works correctly.You can also create your workloads by providing a full specification of the security constraints to apply, without relying on the SCC to provide the configuration. By following this approach, privileges are more explicit, and you have greater control, so you can adjust more precisely the specific privileges that are granted to workloads.When the restricted-v2 SCC and the default restricted pod security standard are not adequate for your workload, because either you require further privileges, or you need further restrictions, you must use an existing SCC, or create a custom SCC, and provide explicit security specifications. You can also adjust the namespace labels to choose a different pod security standard, and decide to audit, log, or enforce the standard.

1473

Welcome to the Red Hat OpenShift Administration II (DO280) group in the Red Hat Learning Community!

Deanna

17 kwi 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster!To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO280.Read more about Red Hat OpenShift Administration II here.Thanks!

1334

Revision: do280-4.14-08d11e1