Set Up Rok Registry Admin

This guide will walk you through giving a user permission to register a Rok cluster with a Rok Registry. This action affects the confidentiality of the data you share with other Rok clusters, which is why only trusted users should perform it.

What You’ll Need


  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  2. Specify the user that will act as a Rok Registry admin:

    root@rok-tools:~/ops/deployments# export REGISTRY_ADMIN_USER=<USER>

    Replace <USER> with the username of the user, for example user.

  3. Render the permissions for the user:

    root@rok-tools:~/ops/deployments# j2 rok/rok-sync-rbac/overlays/deploy/rbac.yaml.j2 \
    >     -o rok/rok-sync-rbac/overlays/deploy/rbac.yaml
  4. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am \
    >     "Set up '$REGISTRY_ADMIN_USER' as a Rok Registry admin"
  5. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-sync-rbac/overlays/deploy


  1. Create the following Kubernetes resource and verify that the response status field of the returned object is allowed:

    root@rok-tools:# kubectl create -o yaml -f - <<EOF
    > apiVersion:
    > kind: SubjectAccessReview
    > spec:
    >   user: ${REGISTRY_ADMIN_USER?}
    >   resourceAttributes:
    >     group:
    >     resource: RokOAuthProvider
    >     verb: create
    > EOF
      allowed: true
      reason: 'RBAC: allowed by ClusterRoleBinding "rok-cluster-registry-admins" of ClusterRole
        "rok-cluster-registry-admin" to User "user"'


You have successfully set up a user as a Rok Registry admin for your cluster.

What’s Next

The next step is to make your Rok sync daemon accessible from other Rok clusters and Registries.