OpenShift Security Concepts
- 1 External
- 2 Internal
- 3 User
- 4 User Identity
- 5 User Context
- 6 Group
- 7 Role Binding
- 8 Role
- 9 Rule
- 10 Relationship between Users, Groups, Bindings, Roles and Rules
- 11 Policy
- 12 Authentication
- 13 Authorization
- 14 Secret
- 15 OpenShift Master OAuth Server
- 16 OAuthClient
- 17 Certificates
- 18 Security Context Constraints
Interaction with OpenShift is associated with a user. An OpenShift user is an entity that can make requests to the OpenShift API. Typically, an user represents the account of a developer or administrator. The users are internally represented with an User object, which in turn represents an actor. Permissions can be given to actors in the system by adding roles to them, or their groups. The association between an user or group and a role is called binding. A user/group may be bound to multiple roles.
There are several user types:
An individual system user. Regular users are created automatically upon the first login, or they can be created with the API. They are represented with the User object. The regular users on the system can be obtained as "system:admin" with oc get users.
Most system users are created automatically when the infrastructure is defined, for the purpose of enabling the infrastructure to interact with the API securely. System users include:
The cluster administrator 'system:admin'. The cluster administrator has access to everything. It uses a certificate to authenticate with the environment. The certificate is stored in ~/.kube/config file under the Unix account used to connect to the OpenShift environment, in the "users:" section. The original content of ~/.kube/config for the Unix root account of the master server is created by copying it from /etc/origin/master/admin.kubeconfig. This is the procedure allow system:admin to access a remote environment via oc:
Additional users can be made cluster administrators executing oadm policy add-cluter-role-to-user command.
To list the cluster administrators, use oc get clusterrolebinding/cluster-admins command.
Per-Node System User
A per-node user 'system:node:node1.example.com'.
Other System Users
- Users for use by routers.
- Users for use by registries 'system:openshift-registry'
Anonymous System User
An anonymous system user. API requests with missing or invalid authentication are treated as requests from the anonymous system user.
A service account is a special, non-human system user that acts automatically and requires access to objects in its own project or other projects. Service accounts are associated with projects (namespace-scoped).
Service accounts are typically used by services such as routers and registries, or when system components need to make an API call to the master: for example, when replication controllers make API calls to create or delete pods, when Jenkins interacts with the master to start a build, or when an external application makes API calls for monitoring and integration purposes. The reason to use service account in all these cases is that they provide a way to control API access without sharing regular user credentials. Service account authenticated to the API using tokens signed by an internal private RSA key, which is verified by the authentication layer.
A number of service accounts are created automatically when the project is created. The list of service accounts to be created automatically is specified in the serviceAccountConfig/managedNames section of the OpenShift master configuration file. The list contains "builder", "deployer" and "default". When instantiated for a specific project, the service account specified in the master file become "system:serviceaccount:<project-name>:default", "system:serviceaccount:<project-name>:builder" and "system:serviceaccount:<project-name>:deployer", Additional service accounts can also be created by the project administrator, later.
Service accounts can be granted roles, in a same way a regular user can be granted roles, using oc policy add-role-to-user command. Every service account is member of the groups "system:serviceaccounts" and "system:serviceaccounts:<project-name>" and it is given the "system:image-puller" role.
Internally, the service accounts are represented with the ServiceAccount object.
Service accounts are specified in the deployment configuration as follows:
apiVersion: v1 kind: DeploymentConfig spec: ... template: spec: containers: ... serviceAccountName: some-service-account
The list of service accounts for a project can be obtained with:
and can be created with
Service Accounts and Secrets
Service accounts are associated with secrets. The list of secrets associated with a service account can be obtained with oc sa as describe below:
Service accounts link to secrets. What is the semantics of adding a secret to a service account?
Service Accounts and SCCsSee:
Information about the identity of users can be obtained with oc get identity. Users are uniquely identified on the system by their UID, but they can have multiple user names associated with them, if they come into the system after being authenticated by different identity providers.
oc get identity NAME IDP NAME IDP USER NAME USER NAME USER UID allow_all:alice allow_all alice alice 2c381dd3-5bbe-11e5-9ccb-08002733d9bd htpasswd:alice htpasswd alice alice2 b19b75ba-5bce-11e5-b065-08002733d9bd
An identity can be deleted with oc delete identity.
Returned by oc whoami -c.
A group is a set of users. A user can be part of multiple groups. Groups are useful when we want to grant permissions to multiple users at once, versus granting the same permissions to users individually. Groups can be explicitly defined or they can be system groups (virtual groups) that are automatically provisioned by OpenShift.
system:authenticated - automatically associated with any currently-authenticated users.
system:unauthenticated - automatically associated with any currently-unauthenticated users.
The association between an user or group and a role is called binding.
For a list of existing cluster role bindings, execute:
A cluster role is a role applicable across all projects. A cluster role is part of the cluster policy.
The role than needs to be bound to a service account so the service account can operate the integrated registry.
For a complete list of cluster roles, execute:
A local role is a role scoped to a specific project. A local role is part of the project's local policy.
Users in this role have the /edit role and they can change the project's membership.
Users in this role can create and edit most objects in the project, but can't change the project's membership.
Users in this role can deploy within the project. Used by service accounts for automated deployments.
Relationship between Users, Groups, Bindings, Roles and Rules
A policy is a collection of rules that specify which users can and cannot do with objects (pods, services, etc.). It is a Kubernetes concept.
An external user can interact with OpenShift only by making REST API calls. This is how command lines tools, web clients and everybody else interacts with it. Thus the process of authenticating against OpenShift is the process of authenticating against the REST API. Authentication means establishing the identity of the user making the API call. The authentication layer provides a framework for collaboration and quota management. It supports multiple mechanisms for authentication. API calls are authenticated with a token issued by the authentication mechanism. The authentication is performed with oc login.
Requests to the OpenShift API are authenticated via two methods:
OAuth Access Tokens
The OpenShift master runs a built-in OAuth server. Users attempting to access the API via CLI or web console must authenticate and obtain an OAuth access token.
Once authenticated, the bearer token can be obtained on command line with:
The OAuth server can be configured with a pluggable identity provider.
X.509 Client Certificates
OpenShift Master OAuth Server
The master exposes an OAuth server at "/oauth/authorize".
OAuth Server Configuration
The OAuth server configuration is specified in /etc/origin/master/master-config.yaml, under the "oauthConfig" label.
This is where the OAuth token expiration time can be specified:
OpenShift OAuth Authentication Sequence
An OpenShift OAuth token request looks like this:
with a Basic Authorization header "Authorization: Basic b3ZpZGl1Om92aWRpdTEyMw=="
If authenticated, the response should be a 302 redirect with the Location that contains the token:
Note that https://openshift-master1:8443/oauth/token is not actually a redirect location, in that there's nothing there. Explain this.For more details, see:
An OAuth client.OAuth client operations:
Master (API Server) Certificate
Configured in master-config.yaml.
Security Context Constraints
OpenShift uses Security Context Constraints (SCCs) to control the actions that a pod can perform and what it has the ability to access.