Set Up Rok Registry Admin¶
This guide will walk you through giving a user permission to register a Rok cluster with a Rok Registry. This action affects the confidentiality of the data you share with other Rok clusters, which is why only trusted users should perform it.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- A working Rok deployment.
- A Rok user that will act as a Rok Registry admin for the Rok cluster.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:/# cd ~/ops/deploymentsSpecify the user that will act as a Rok Registry admin:
root@rok-tools:~/ops/deployments# export REGISTRY_ADMIN_USER=<USER>Replace
<USER>
with the username of the user, for exampleuser
.Render the permissions for the user:
root@rok-tools:~/ops/deployments# j2 rok/rok-sync-rbac/overlays/deploy/rbac.yaml.j2 \ > -o rok/rok-sync-rbac/overlays/deploy/rbac.yamlCommit your changes:
root@rok-tools:~/ops/deployments# git commit -am \ > "Set up '$REGISTRY_ADMIN_USER' as a Rok Registry admin"Apply the kustomization:
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-sync-rbac/overlays/deploy
Verify¶
Create the following Kubernetes resource and verify that the response status field of the returned object is allowed:
root@rok-tools:# kubectl create -o yaml -f - <<EOF > apiVersion: authorization.k8s.io/v1 > kind: SubjectAccessReview > spec: > user: ${REGISTRY_ADMIN_USER?} > resourceAttributes: > group: arrikto.com > resource: RokOAuthProvider > verb: create > EOF ... status: allowed: true reason: 'RBAC: allowed by ClusterRoleBinding "rok-cluster-registry-admins" of ClusterRole "rok-cluster-registry-admin" to User "user"'
Summary¶
You have successfully set up a user as a Rok Registry admin for your cluster.
What’s Next¶
The next step is to make your Rok sync daemon accessible from other Rok clusters and Registries.