6.2.2. 禁用自助置备
您可以防止经过身份验证的用户组自助置备新项目。
- 以具有 cluster-admin 权限的用户身份登录。
检查
self-provisionersclusterrolebinding usage。运行以下命令,然后检查self-provisioners部分中的主题。$ oc describe clusterrolebinding.rbac self-provisioners Name: self-provisioners Labels: <none> Annotations: rbac.authorization.kubernetes.io/autoupdate=true Role: Kind: ClusterRole Name: self-provisioner Subjects: Kind Name Namespace ---- ---- --------- Group system:authenticated:oauth
从
system:authenticated:oauth组中移除self-provisioner集群角色。如果
self-provisioners集群角色绑定仅将self-provisioner角色绑定至system:authenticated:oauth组,请运行以下命令:$ oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'如果
self-provisionersclusterrolebinding 将self-provisioner角色绑定到system:authenticated:oauth组以外的更多用户、组或 serviceaccounts,请运行以下命令:$ oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth
设置 master-config.yaml 文件中的
projectRequestMessage参数值,以指示开发人员如何请求新项目。此参数值是一个字符串,当用户尝试自助置备项目时,该字符串将在 Web 控制台中显示给用户。您可以使用以下信息之一:-
To request a project, contact your system administrator at
projectname@example.com. -
To request a new project, fill out the project request form located at
https://internal.example.com/openshift-project-request.
YAML 文件示例
... projectConfig: ProjectRequestMessage: "message" ...
-
To request a project, contact your system administrator at
编辑
self-provisioners集群角色绑定,以防止自动更新角色。自动更新会使集群角色重置为默认状态。从命令行更新角色绑定:
运行以下命令:
$ oc edit clusterrolebinding.rbac self-provisioners
在显示的角色绑定中,将
rbac.authorization.kubernetes.io/autoupdate参数值设置为false,如下例所示:apiVersion: authorization.openshift.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "false" ...
使用单个命令更新角色绑定:
$ oc patch clusterrolebinding.rbac self-provisioners -p '{ "metadata": { "annotations": { "rbac.authorization.kubernetes.io/autoupdate": "false" } } }'
