Creating Domino Admin Role in OKD/OCP4 for Managing Domino Services

Mindwatering Incorporated

Author: Tripp W Black

Created: 07/14 at 04:35 PM

 

Category:
Domino Installs, RH OpenShift
Software Installation
Project Deploy

Task:


Create the administrative account and roles for management of Domino services on K8s, OKD, or OCP 4.

Overview:
- Create project
- Create service account
- Create role
- Assign role-binding

Notes:
- Project: mwdom
- Administrators Account: domino-admin


Steps:
1. Create project/namespace:
- Login:
$ oc login -u <accountid> <apiendpoint>
<enter password>

- Create project:
$ oc new-project mwdom --description="MWNet Domino"
<confirm created>


2. Create Service Account and Set-up:
$ oc create serviceaccount domino-admin
<confirm created>

$ vi mwdom-role.yaml

kind: Role
apiVersion: rbac.authorization.k8s.io/v1

metadata:
  name: domino-admin-role
  namespace: mwdom

rules:

- apiGroups: [""]
  resources: ["pods", "persistentvolumeclaims" ]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]


$ oc apply -f mwdom-role.yaml
<confirm added>

$ vi mwdom-rolebinding.yaml

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1

metadata:
  name: domino-admin-role-binding
  namespace: mwdom

subjects:
- kind: ServiceAccount
  name: domino-admin
  namespace: mwdom

roleRef:
  kind: Role
  name: domino-admin-role
  apiGroup: rbac.authorization.k8s.io


$ oc apply -f mwdom-rolebinding.yaml
<confirm added>


3. Give privileged pod execution:
Note:
- Domino runs as the notes user (1000), but certain actions take place as root
- OKD/OCP 4.11 and higher will fail domino's SCC checks as it implements "restricted-v2"
- Two options, updated the pod deployment auto-config.yml with additional security context entries, or update the namespace for privilege rights.

If you want to give the mwdom namespace privileged rights, and bypass the restricted-v2 checks, perform:
$ oc label ns/mwdom pod-security.kubernetes.io/enforce=privileged --overwrite=true
<confirm success>

$ oc label ns/mwdom pod-security.kubernetes.io/warn=privileged --overwrite=true
<confirm success>

$ oc label ns/mwdom pod-security.kubernetes.io/audit=privileged --overwrite=true
<confirm success>














previous page

×