From 7714056b8dde7a54a6a838cc7e727fe2dbd6ae44 Mon Sep 17 00:00:00 2001 From: Yuxiang Zhu Date: Aug 08 2019 05:58:03 +0000 Subject: Add README for C3IaaS jobs and RBAC definition --- diff --git a/c3iaas/README.md b/c3iaas/README.md new file mode 100644 index 0000000..ccdcaff --- /dev/null +++ b/c3iaas/README.md @@ -0,0 +1,51 @@ +# C3I-as-a-Service + +The C3I team hosts OpenShift pipeline jobs for some +common CI/CD routines. This is called C3I-as-a-Service, +or C3IaaS. + +## Onboarding to C3IaaS + +For security reasons, the C3I team restricts the access to C3IaaS jobs only to on-boarded clients. + +A C3I client needs to provide a list of OpenShift users (service accounts) or groups to the C3I team, then the C3I team assigns the `c3iaas-user` role using the following command: + +``` +# assign to users +oc policy add-role-to-user --role-namespace=c3i c3iaas-user mikeb yuxzhu + +# assign to groups +oc policy add-role-to-group --role-namespace=c3i c3iaas-user system:serviceaccounts:c3i system:serviceaccounts:c3i-stage +``` + +The definition of `c3iaas-user` role can be found from the `rbac` directory. + +## c3iaas-request-project + +This job can be triggered by a C3I user to request a temporary OpenShift project in OpenShift. That project will be tracked by C3IaaS and is automatically deleted when expires. + +To trigger this job, a C3I user can run + +``` +oc start-build -n c3i c3iaas-request-project -e PROJECT_NAME=c3i- +``` + +Following build parameters are supported: + +- PROJECT_NAME +Required, the name of requested OpenShift project, must be prefixed with `c3i-` + +- DELETE_PROJECT_IF_EXISTS="true" +if `true`, delete the project before recreating. + +- ADMIN_USERS +Comma separated list of OpenShift users that will be assigned with the `admin` role. + +- ADMIN_GROUPS +Comma separated list of OpenShift groups that will be assigned with the `admin` role. + +- VIEW_USERS +Comma separated list of OpenShift users that will be assigned with the `view` role. + +- VIEW_GROUPS="system:authenticated" +Comma separated list of OpenShift groups that will be assigned with the `view` role. diff --git a/c3iaas/rbac/c3iaas-user-role.yaml b/c3iaas/rbac/c3iaas-user-role.yaml new file mode 100644 index 0000000..974746d --- /dev/null +++ b/c3iaas/rbac/c3iaas-user-role.yaml @@ -0,0 +1,35 @@ +apiVersion: authorization.openshift.io/v1 +kind: Role +metadata: + name: "c3iaas-user" +rules: +- apiGroups: + - "" + - build.openshift.io + attributeRestrictions: null + resources: + - buildconfigs + - buildconfigs/webhooks + - builds + - builds/log + verbs: + - get + - list + - watch +- apiGroups: + - build.openshift.io + attributeRestrictions: null + resources: + - jenkins + verbs: + - view +- apiGroups: + - "" + - build.openshift.io + attributeRestrictions: null + resources: + - buildconfigs/instantiate + - buildconfigs/instantiatebinary + - builds/clone + verbs: + - create