Set Up Rok Registry Admin

This guide will walk you through giving a user permission to register a Rok cluster with a Rok Registry. This action affects the confidentiality of the data you share with other Rok clusters, which is why only trusted users should perform it.

What You’ll Need

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
    
  2. Specify the user that will act as a Rok Registry admin:

    root@rok-tools:~/ops/deployments# export REGISTRY_ADMIN_USER=<USER>
    

    Replace <USER> with the username of the user, for example user.

  3. Render the permissions for the user:

    root@rok-tools:~/ops/deployments# j2 rok/rok-sync-rbac/overlays/deploy/rbac.yaml.j2 \
    >     -o rok/rok-sync-rbac/overlays/deploy/rbac.yaml
    
  4. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am \
    >     "Set up '$REGISTRY_ADMIN_USER' as a Rok Registry admin"
    
  5. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-sync-rbac/overlays/deploy
    

Verify

  1. Create the following Kubernetes resource and verify that the response status field of the returned object is allowed:

    root@rok-tools:# kubectl create -o yaml -f - <<EOF
    > apiVersion: authorization.k8s.io/v1
    > kind: SubjectAccessReview
    > spec:
    >   user: ${REGISTRY_ADMIN_USER?}
    >   resourceAttributes:
    >     group: arrikto.com
    >     resource: RokOAuthProvider
    >     verb: create
    > EOF
    ...
    status:
      allowed: true
      reason: 'RBAC: allowed by ClusterRoleBinding "rok-cluster-registry-admins" of ClusterRole
        "rok-cluster-registry-admin" to User "user"'
    

Summary

You have successfully set up a user as a Rok Registry admin for your cluster.

What’s Next

The next step is to make your Rok sync daemon accessible from other Rok clusters and Registries.