Task:
Create the administrative account and roles for management of Domino services on K8s, OKD, or OCP 4.
Overview:
- Create project
- Create service account
- Create role
- Assign role-binding
Notes:
- Project: mwdom
- Administrators Account: domino-admin
Steps:
1. Create project/namespace:
- Login:
$ oc login -u <accountid> <apiendpoint>
<enter password>
- Create project:
$ oc new-project mwdom --description="MWNet Domino"
<confirm created>
2. Create Service Account and Set-up:
$ oc create serviceaccount domino-admin
<confirm created>
$ vi mwdom-role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: domino-admin-role
namespace: mwdom
rules:
- apiGroups: [""]
resources: ["pods", "persistentvolumeclaims" ]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
$ oc apply -f mwdom-role.yaml
<confirm added>
$ vi mwdom-rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: domino-admin-role-binding
namespace: mwdom
subjects:
- kind: ServiceAccount
name: domino-admin
namespace: mwdom
roleRef:
kind: Role
name: domino-admin-role
apiGroup: rbac.authorization.k8s.io
$ oc apply -f mwdom-rolebinding.yaml
<confirm added>
3. Give privileged pod execution:
Note:
- Domino runs as the notes user (1000), but certain actions take place as root
- OKD/OCP 4.11 and higher will fail domino's SCC checks as it implements "restricted-v2"
- Two options, updated the pod deployment auto-config.yml with additional security context entries, or update the namespace for privilege rights.
If you want to give the mwdom namespace privileged rights, and bypass the restricted-v2 checks, perform:
$ oc label ns/mwdom pod-security.kubernetes.io/enforce=privileged --overwrite=true
<confirm success>
$ oc label ns/mwdom pod-security.kubernetes.io/warn=privileged --overwrite=true
<confirm success>
$ oc label ns/mwdom pod-security.kubernetes.io/audit=privileged --overwrite=true
<confirm success>
previous page
|