이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 16. Securing Builds by Strategy


16.1. Overview

Builds in OpenShift are run in privileged containers that have access to the Docker daemon socket. As a security measure, it is recommended to limit who can run builds and the strategy that is used for those builds. Custom builds are inherently less safe than Source builds, given that they can execute any code in the build with potentially full access to the node’s Docker socket. Docker build permission should also be granted with caution as a vulnerability in the Docker build logic could result in a privileges being granted on the host node.

By default, project administrators (the admin role) and project editors (the edit role) are granted permission to use all build strategies (Docker, Source-to-Image, and Custom).

You can control who can build with what build strategy using an authorization policy. Each build strategy has a corresponding build subresource. Granting permission to create on the build subresource allows the user to create builds of that type.

Table 16.1. Build Strategy Subresources
StrategySubresource

Docker

builds/docker

Source-to-Image

builds/source

Custom

builds/custom

16.2. Disabling a Build Strategy Globally

To prevent access to a particular build strategy globally, log in as a user with cluster-admin privileges and edit each of the default roles:

$ oc edit clusterrole admin
$ oc edit clusterrole edit

For each role, remove the line that corresponds to the resource of the strategy to disable:

Example 16.1. Disable the Docker Build Strategy for admin

kind: ClusterRole
metadata:
  name: admin
...

rules:
- attributeRestrictions: null
  resources:
  - builds/custom
  - builds/docker 1
  - builds/source
  - pods/exec
  - pods/portforward

...
1
Delete this line to disable Docker builds globally for users with the admin role.

16.3. Restricting Build Strategies to a User Globally

To allow only a set of specific users to create builds with a particular strategy:

  1. Remove the build strategy subresource from the default admin and edit roles.
  2. Create a separate role for the build strategy. For example, create a dockerstrategy.yaml file that defines a separate role for the Docker build strategy:

    kind: ClusterRole
    apiVersion: v1
    metadata:
      name: dockerbuilder
    rules:
    - resources:
      - builds/docker
      verbs:
      - create

    As cluster administrator, create the new cluster role:

    $ oc create -f dockerstrategy.yaml
  3. Assign the new cluster role to a specific user. For example, to add the new dockerbuilder cluster role to the user devuser:

    $ oadm policy add-cluster-role-to-user dockerbuilder devuser
Warning

Granting a user access at the cluster level to the builds/docker subresource means that the user will be able to create builds with the Docker strategy in any project in which they can create builds.

16.4. Restricting Build Strategies to a User Within a Project

Similar to granting the build strategy role to a user globally, to allow only a set of specific users within a project to create builds with a particular strategy:

  1. Remove the build strategy resource from the default admin and edit roles.
  2. Create a separate role for that build strategy.
  3. Assign the role to a specific user within a project. For example, to add the new dockerbuilder role within the project devproject to the user devuser:

    $ oadm policy add-role-to-user dockerbuilder devuser -n devproject
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.