OpenShift Security Concepts

From NovaOrdis Knowledge Base
Jump to navigation Jump to search




Interaction with OpenShift is associated with a user. An OpenShift user is an entity that can make requests to the OpenShift API. Typically, an user represents the account of a developer or administrator. The users are internally represented with an User object, which in turn represents an actor. Permissions can be given to actors in the system by adding roles to them, or their groups. The association between an user or group and a role is called binding. A user/group may be bound to multiple roles.

There are several user types:

Regular User

An individual system user. Regular users are created automatically upon the first login, or they can be created with the API. They are represented with the User object. The regular users on the system can be obtained as "system:admin" with oc get users.

System User

Most system users are created automatically when the infrastructure is defined, for the purpose of enabling the infrastructure to interact with the API securely. System users include:

Cluster Administrator

The cluster administrator 'system:admin'. The cluster administrator has access to everything. It uses a certificate to authenticate with the environment. The certificate is stored in ~/.kube/config file under the Unix account used to connect to the OpenShift environment, in the "users:" section. The original content of ~/.kube/config for the Unix root account of the master server is created by copying it from /etc/origin/master/admin.kubeconfig. This is the procedure allow system:admin to access a remote environment via oc:

Procedure to enable system:admin remote access

Additional users can be made cluster administrators executing oadm policy add-cluter-role-to-user command.

To list the cluster administrators, use oc get clusterrolebinding/cluster-admins command.

Per-Node System User

A per-node user ''.

Other System Users

  • Users for use by routers.
  • Users for use by registries 'system:openshift-registry'

Anonymous System User

An anonymous system user. API requests with missing or invalid authentication are treated as requests from the anonymous system user.

Service Account

A service account is a special, non-human system user that acts automatically and requires access to objects in its own project or other projects. Service accounts are associated with projects (namespace-scoped).

Service accounts are typically used by services such as routers and registries, or when system components need to make an API call to the master: for example, when replication controllers make API calls to create or delete pods, when Jenkins interacts with the master to start a build, or when an external application makes API calls for monitoring and integration purposes. The reason to use service account in all these cases is that they provide a way to control API access without sharing regular user credentials. Service account authenticated to the API using tokens signed by an internal private RSA key, which is verified by the authentication layer.

A number of service accounts are created automatically when the project is created. The list of service accounts to be created automatically is specified in the serviceAccountConfig/managedNames section of the OpenShift master configuration file. The list contains "builder", "deployer" and "default". When instantiated for a specific project, the service account specified in the master file become "system:serviceaccount:<project-name>:default", "system:serviceaccount:<project-name>:builder" and "system:serviceaccount:<project-name>:deployer", Additional service accounts can also be created by the project administrator, later.

Service accounts can be granted roles, in a same way a regular user can be granted roles, using oc policy add-role-to-user command. Every service account is member of the groups "system:serviceaccounts" and "system:serviceaccounts:<project-name>" and it is given the "system:image-puller" role.

Internally, the service accounts are represented with the ServiceAccount object.

Service accounts are specified in the deployment configuration as follows:

apiVersion: v1
kind: DeploymentConfig
      serviceAccountName: some-service-account

The list of service accounts for a project can be obtained with:

oc get sa

and can be created with

oc create

Service Accounts and Secrets

Service accounts are associated with secrets. The list of secrets associated with a service account can be obtained with oc sa as describe below:

List the Secrets Associated with a Service Account

Service accounts link to secrets. What is the semantics of adding a secret to a service account?

Service Accounts and SCCs


Service Accounts and SCCs

User Identity

Information about the identity of users can be obtained with oc get identity. Users are uniquely identified on the system by their UID, but they can have multiple user names associated with them, if they come into the system after being authenticated by different identity providers.

oc get identity
allow_all:alice    allow_all  alice           alice       2c381dd3-5bbe-11e5-9ccb-08002733d9bd
htpasswd:alice     htpasswd   alice           alice2      b19b75ba-5bce-11e5-b065-08002733d9bd

An identity can be deleted with oc delete identity.

User Context

Returned by oc whoami -c.


A group is a set of users. A user can be part of multiple groups. Groups are useful when we want to grant permissions to multiple users at once, versus granting the same permissions to users individually. Groups can be explicitly defined or they can be system groups (virtual groups) that are automatically provisioned by OpenShift.

A group can be associated with multiple roles by binding it to the roles.

Group information can be obtained with oc describe group. A new group can be created with oadm groups.

Virtual Group

system:authenticated - automatically associated with any currently-authenticated users.

system:unauthenticated - automatically associated with any currently-unauthenticated users.

Role Binding

The association between an user or group and a role is called binding.

For a list of existing cluster role bindings, execute:

oc get clusterrolebinding
RoleBinding Definition



Cluster Roles

A cluster role is a role applicable across all projects. A cluster role is part of the cluster policy.






The role than needs to be bound to a service account so the service account can operate the integrated registry.

For a complete list of cluster roles, execute:

oc get clusterrolebinding

Local Roles

A local role is a role scoped to a specific project. A local role is part of the project's local policy.


Users in this role have the /edit role and they can change the project's membership.


Users in this role can create and edit most objects in the project, but can't change the project's membership.


Users in this role can deploy within the project. Used by service accounts for automated deployments.


Users in this role can build, push and pull images within the project. Used by service accounts that perform builds.




Relationship between Users, Groups, Bindings, Roles and Rules



A policy is a collection of rules that specify which users can and cannot do with objects (pods, services, etc.). It is a Kubernetes concept.

Cluster Policy

The cluster policy contains roles and bindings that are applicable across all projects. Cluster bindings can only reference cluster roles.

Local Policy

The local policy contains roles and bindings that are scoped to a specific project. Local bindings can reference both cluster roles and local roles.


An external user can interact with OpenShift only by making REST API calls. This is how command lines tools, web clients and everybody else interacts with it. Thus the process of authenticating against OpenShift is the process of authenticating against the REST API. Authentication means establishing the identity of the user making the API call. The authentication layer provides a framework for collaboration and quota management. It supports multiple mechanisms for authentication. API calls are authenticated with a token issued by the authentication mechanism. The authentication is performed with oc login.

Authentication Methods

Requests to the OpenShift API are authenticated via two methods:

OAuth Access Tokens

The OpenShift master runs a built-in OAuth server. Users attempting to access the API via CLI or web console must authenticate and obtain an OAuth access token.

Once authenticated, the bearer token can be obtained on command line with:

oc whoami -t

The OAuth server can be configured with a pluggable identity provider.

X.509 Client Certificates


Identity Providers




Secrets Concepts

OpenShift Master OAuth Server

The master exposes an OAuth server at "/oauth/authorize".

OAuth Server Configuration

The OAuth server configuration is specified in /etc/origin/master/master-config.yaml, under the "oauthConfig" label.

OAuth Token Duration

This is where the OAuth token expiration time can be specified:

accessTokenMaxAgeSeconds: 86400

Alternatively, it can be configured from the console: Administration → Cluster Settings → Global Settings → Oauth → Modify the Yaml configuration as follows:

kind: OAuth
  name: cluster
    accessTokenMaxAgeSeconds: 172800

The confirmation can be obtained by running:

oc describe

OpenShift OAuth Authentication Sequence

An OpenShift OAuth token request looks like this:


with a Basic Authorization header "Authorization: Basic b3ZpZGl1Om92aWRpdTEyMw=="

If authenticated, the response should be a 302 redirect with the Location that contains the token:

Location: https://openshift-master1:8443/oauth/token/display#access_token=Wvgp_89KM-OsOjfQb-wISSfxPFRJdfckAoFMBOrk7Qo&expires_in=86400&token_type=bearer

Note that https://openshift-master1:8443/oauth/token is not actually a redirect location, in that there's nothing there. Explain this.

For more details, see:

OpenShift OAuth Authentication Sequence


An OAuth client.

OAuth client operations:

OAuth Client Operations


Master (API Server) Certificate

Configured in master-config.yaml.

Security Context Constraints

OpenShift uses Security Context Constraints (SCCs) to control the actions that a pod can perform and what it has the ability to access.

Security Context Constraints