Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 19. Impersonating the system:admin user
19.1. API impersonation
You can configure a request to the OpenShift Container Platform API to act as though it originated from another user. For more information, see User impersonation in the Kubernetes documentation.
19.2. Impersonating the system:admin user
You can use the OpenShift web console to impersonate a user and select multiple group memberships at the same time to reproduce that user’s effective permissions.
Procedure
To grant a user permission to impersonate
system:admin, run the following command:$ oc create clusterrolebinding <any_valid_name> --clusterrole=sudoer --user=<username>TipYou can alternatively apply the following YAML to grant permission to impersonate
system:admin:apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: <any_valid_name> roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: sudoer subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: <username>
19.3. Impersonating the system:admin group
When a system:admin user is granted cluster administration permissions through a group, you must include the --as=<user> --as-group=<group1> --as-group=<group2> parameters in the command to impersonate the associated groups.
Procedure
To grant a user permission to impersonate a
system:adminby impersonating the associated cluster administration groups, run the following command:$ oc create clusterrolebinding <any_valid_name> --clusterrole=sudoer --as=<user> \ --as-group=<group1> --as-group=<group2>
19.4. Impersonating a user with multiple group memberships in the web console
You can start user impersonation from multiple locations in the OpenShift Container Platform Console. Depending on where you start, you can impersonate a single user, a single group, or a user with one or more group memberships.
Prerequisites
- You must be logged in to the OpenShift Container Platform web console as a user with permission to impersonate other users.
- The user or group that you want to impersonate must already exist.
The impersonated user can belong to zero or more groups.
Procedure
- From the Overview page in the OpenShift Container Platform console, click your user name and select Impersonate User.
- In the Username field in the Impersonate dialog, enter the name of the user you want to impersonate.
Optional: In the Groups field, choose one or more groups that are associated with the user.
The dialog displays a warning message explaining that impersonation applies the effective permissions of the specified user and any selected groups.
- Click Impersonate to impersonate your selected user, groups, or both.
Selecting one group uses the existing single-group impersonation behavior. Selecting no groups uses regular single-user impersonation.
19.5. Starting impersonation from the Users or Groups pages
You can start impersonation for users or groups from the Users or Groups pages in the OpenShift Container Platform Console.
Procedure
-
From the Overview page in the OpenShift Container Platform console, click User Management
Users. - Open the menu for the user you want to impersonate and select Impersonate User.
-
Optional: To impersonate a group, click User Management
Groups, click the menu for that group, and select Impersonate Group.
19.6. Stopping impersonation
You can stop impersonating a user or group at any time from the OpenShift Container Platform Console.
Procedure
- On any page in the OpenShift Container Platform console, click Stop impersonating at the top of the page.
- Alternatively, click your user name and select Stop impersonating.
19.7. Adding unauthenticated groups to cluster roles
As a cluster administrator, you can add unauthenticated users to the following cluster roles in OpenShift Container Platform by creating a cluster role binding. Unauthenticated users do not have access to non-public cluster roles. This should only be done in specific use cases when necessary.
You can add unauthenticated users to the following cluster roles:
-
system:scope-impersonation -
system:webhook -
system:oauth-token-deleter -
self-access-reviewer
Always verify compliance with your organization’s security standards when modifying unauthenticated access.
Prerequisites
-
You have access to the cluster as a user with the
cluster-adminrole. -
You have installed the OpenShift CLI (
oc).
Procedure
Create a YAML file named
add-<cluster_role>-unauth.yamland add the following content:apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" name: <cluster_role>access-unauthenticated roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: <cluster_role> subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticatedApply the configuration by running the following command:
$ oc apply -f add-<cluster_role>.yaml
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}