Menu Close

Red Hat Training

A Red Hat training course is available for OpenShift Container Platform

6.2.2. 禁用自助置备

您可以防止经过身份验证的用户组自助置备新项目。

  1. 以具有 cluster-admin 权限的用户身份登录。
  2. 查看 self-provisionersclusterrolebinding 用法。运行以下命令,然后检查 self-provisioners 部分中的主题。

    $ oc  describe clusterrolebinding.rbac self-provisioners
    
    Name:		self-provisioners
    Labels:		<none>
    Annotations:	rbac.authorization.kubernetes.io/autoupdate=true
    Role:
      Kind:	ClusterRole
      Name:	self-provisioner
    Subjects:
      Kind	Name				Namespace
      ----	----				---------
      Group	system:authenticated:oauth
  3. system:authenticated:oauth 组中移除 self-provisioner 集群角色。

    • 如果 self-provisioners 集群角色绑定仅将 self-provisioner 角色绑定至 system:authenticated:oauth 组,请运行以下命令:

      $ oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'
    • 如果 self-provisioners clusterrolebinding 将 self-provisioner 角色绑定到 system:authenticated:oauth 组以外的更多用户、组或 serviceaccounts,请运行以下命令:

      $ oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth
  4. 设置 master-config.yaml 文件中的 projectRequestMessage 参数值,以指示开发人员如何请求新项目。此参数值是一个字符串,当用户尝试自助置备项目时,该字符串将在 Web 控制台中显示给用户。您可以使用以下信息之一:

    • To request a project, contact your system administrator at projectname@example.com.
    • To request a new project, fill out the project request form located at https://internal.example.com/openshift-project-request.

    YAML 文件示例

    ...
    projectConfig:
      ProjectRequestMessage: "message"
      ...

  5. 编辑 self-provisioners 集群角色绑定,以防止自动更新角色。自动更新会使集群角色重置为默认状态。

    • 从命令行更新角色绑定:

      1. 运行以下命令:

        $ oc edit clusterrolebinding.rbac self-provisioners
      2. 在显示的角色绑定中,将 rbac.authorization.kubernetes.io/autoupdate 参数值设置为 false,如下例所示:

        apiVersion: authorization.openshift.io/v1
        kind: ClusterRoleBinding
        metadata:
          annotations:
            rbac.authorization.kubernetes.io/autoupdate: "false"
        ...
    • 使用单个命令更新角色绑定:

      $ oc patch clusterrolebinding.rbac self-provisioners -p '{ "metadata": { "annotations": { "rbac.authorization.kubernetes.io/autoupdate": "false" } } }'