docs/doc/source/security/kubernetes/create-other-system-administrators-97b99bb94430.rst

Create Other System Administrators

After setting up your first system administrator, use this first system administrator to configure other system administrators.

In the following example, creating other system administrators consists of:

• Create system administrator groups with different privilege levels.
  • The Level1SystemAdmin group with full privileges (including sudo) has already been created, when creating the first system administrator.
  • Create a Level2SystemAdmin group with full privileges, with no linux sudo capability.
  • Create a Level3SystemAdmin group with read-only privileges.
• Create one or more new system administrator users in each of the above groups.
  • For each user, create both:
    • a local user account.
    • a keystone user account.

• You need to use the first system administrator created to execute this procedure.

1. Login to the active controller as the first system administrator, joefulladmin in this example.

   Use either a local console or .

2. Use the local_starlingxrc to setup environment variables and to setup the keystone user's authentication credentials.

   $ source local_starlingxrc
   Enter the password to be used with keystone user joefulladmin:
   Created file /home/joefulladmin/joefulladmin-openrc

3. Use the oidc-auth to authenticate via / for kubernetes CLI.

   $ oidc-auth
   Using "joefulladmin" as username.
   Password:
   Successful authentication.
   Updated /home/joefulladmin/.kube/config .

4. Set up additional system admin groups with different privileges.

   Create a directory for temporary files for setting up users and groups.

   $ mkdir /home/joefulladmin/users

   1. Create a new local group with full privilege (but without linux sudo capability) for the system administrator.

      $ sudo ldapaddgroup Level2SystemAdmin

      1. Add full Linux authorization privileges (but without linux 'sudo' capability) to the Level2SystemAdmin group members.

         Update the /etc/security/group.conf with group mappings.

         Note

         For a controller configuration, this step must be done on both controllers.

         $ sudo sed -i '$ a\*;*;%Level2SystemAdmin;Al0000-2400;sys_protected,root' /etc/security/group.conf

      2. Add restricted kubernetes authorization privileges to the Level2SystemAdmin group members.

         Add a kubernetes ClusterRole and kubernetes ClusterRoleBinding to bind the Level2SystemAdmin group to a more restricted set of kubernetes capabilities.

         $ cat << EOF > /home/joefulladmin/users/Level2SystemAdmin-clusterrolebinding.yml
         apiVersion: rbac.authorization.k8s.io/v1
         kind: ClusterRole
         metadata:
            name: Level2SystemAdmin
         rules:
         # For the core API group (""), allow full access to all resource types
         # EXCEPT for serviceaccounts and resource policies (limitranges and resourcequotas) only allow read access
         -     apiGroups: [""]
            resources: ["bindings", "configmaps", "endpoints", "events", "persistentvolumeclaims", "pods", "podtemplates", "replicationcontrollers", "secrets", "services"]
            verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
         -     apiGroups: [""]
            resources: [ "serviceaccounts", "limitranges", "resourcequotas" ]
            verbs: ["get", "list"]
         ---
         apiVersion: rbac.authorization.k8s.io/v1
         kind: ClusterRoleBinding
         metadata:
            name: Level2SystemAdmin
         subjects:
         -     kind: Group
            name: Level2SystemAdmin
            apiGroup: rbac.authorization.k8s.io
         roleRef:
            kind: ClusterRole
            name: Level2SystemAdmin
            apiGroup: rbac.authorization.k8s.io
         EOF
         
         $ kubectl apply -f /home/joefulladmin/users/Level2SystemAdmin-clusterrolebinding.yml

      3. 'admin' StarlingX Authorization Privileges will be given to the Level2SystemAdmin Group members, when they are created in a subsequent step.

   2. Create a new local group for read-only system administrators.

      $ sudo ldapaddgroup Level3SystemAdmin

      1. Do not add additional linux authorization privileges to the Level3SystemAdmin group members.

         Update /etc/security/group.conf with group mappings.

         Note

         For a controller configuration, this step must be done on both controllers.

         $ sudo sed -i '$ a\*;*;%Level3SystemAdmin;Al0000-2400;users' /etc/security/group.conf

      2. Add 'reader' Kubernetes authorization privileges to the Level3SystemAdmin group members.

         Add a kubernetes ClusterRole and kubernetes ClusterRoleBinding to bind the Level3SystemAdmin group to a reader only set of kubernetes capabilities.

         $ cat << EOF > /home/joefulladmin/users/Level3SystemAdmin-clusterrolebinding.yml
         apiVersion: rbac.authorization.k8s.io/v1
         kind: ClusterRole
         metadata:
            name: Level3SystemAdmin
         rules:
         -     apiGroups: [""] # "" indicates the core API group
            resources: ["*"]
            verbs: ["get", "watch", "list"]
         ---
         apiVersion: rbac.authorization.k8s.io/v1
         kind: ClusterRoleBinding
         metadata:
            name: Level3SystemAdmin
         subjects:
         -     kind: Group
            name: Level3SystemAdmin
            apiGroup: rbac.authorization.k8s.io
         roleRef:
            kind: ClusterRole
            name: Level3SystemAdmin
            apiGroup: rbac.authorization.k8s.io
         EOF
         
         $ kubectl apply -f /home/joefulladmin/users/Level3SystemAdmin-clusterrolebinding.yml

      3. The 'reader' authorization privileges will be given to the Level3SystemAdmin group members, when they are created in a subsequent step.

5. Create system 'admin' users in each of the 3 system admin groups.

   1. Create one or more users in the Level1SystemAdmin group and give each a keystone user account with an 'admin' role.

      $ sudo ldapusersetup -u davefulladmin
      Password:
      Successfully added user davefulladmin to LDAP
      Successfully set password for user davefulladmin
      Warning : password is reset, user will be asked to change password at login
      Successfully modified user entry uid=davefulladmin,ou=People,dc=cgcs,dc=local in LDAP
      Updating password expiry to 90 days
      Successfully modified user entry uid=davefulladmin,ou=People,dc=cgcs,dc=local in LDAP
      Updating password expiry to 2 days
      
      $ sudo ldapaddusertogroup davefulladmin Level1SystemAdmin
      
      $ USERNAME="davefulladmin"
      $ USERPASSWORD="<password>"
      $ PROJECTNAME="admin"
      $ PROJECTID=`openstack project list | grep ${PROJECTNAME} | awk '{print $2}'`
      $ openstack user create --password "${USERPASSWORD}" --project ${PROJECTID} "${USERNAME}"
      $ openstack role add --project ${PROJECTNAME} --user ${USERNAME} _member_
      $ openstack role add --project ${PROJECTNAME} --user ${USERNAME} admin

      Repeat this step for additional users required in the Level1SystemAdmin group.

   2. Create one or more users in the Level2SystemAdmin group and give each a keystone user account with an 'admin' role.

      $ sudo ldapusersetup -u jimbasicadmin
      Password:
      Successfully added user jimbasicadmin to LDAP
      Successfully set password for user jimbasicadmin
      Warning : password is reset, user will be asked to change password at login
      Successfully modified user entry uid=jimbasicadmin,ou=People,dc=cgcs,dc=local in LDAP
      Updating password expiry to 90 days
      Successfully modified user entry uid=jimbasicadmin,ou=People,dc=cgcs,dc=local in LDAP
      Updating password expiry to 2 days
      
      $ sudo ldapaddusertogroup jimbasicadmin Level2SystemAdmin
      
      $ USERNAME="jimbasicadmin"
      $ USERPASSWORD="<password>"
      $ PROJECTNAME="admin"
      $ PROJECTID=`openstack project list | grep ${PROJECTNAME} | awk '{print $2}'`
      $ openstack user create --password "${USERPASSWORD}" --project ${PROJECTID} "${USERNAME}"
      $ openstack role add --project ${PROJECTNAME} --user ${USERNAME} _member_
      $ openstack role add --project ${PROJECTNAME} --user ${USERNAME} admin

      Repeat this step for additional users required in the Level2SystemAdmin group.

   3. Create one or more users in the Level3SystemAdmin group and give each a keystone user account with 'reader' role.

      $ sudo ldapusersetup -u billreaderadmin
      Password:
      Successfully added user billreaderadmin to LDAP
      Successfully set password for user billreaderadmin
      Warning : password is reset, user will be asked to change password at login
      Successfully modified user entry uid=billreaderadmin,ou=People,dc=cgcs,dc=local in LDAP
      Updating password expiry to 90 days
      Successfully modified user entry uid=billreaderadmin,ou=People,dc=cgcs,dc=local in LDAP
      Updating password expiry to 2 days
      
      $ sudo ldapaddusertogroup billreaderadmin Level3SystemAdmin
      
      $ USERNAME="billreaderadmin"
      $ USERPASSWORD="<password>"
      $ PROJECTNAME="admin"
      $ PROJECTID=`openstack project list | grep ${PROJECTNAME} | awk '{print $2}'`
      $ openstack user create --password "${USERPASSWORD}" --project ${PROJECTID} "${USERNAME}"
      $ openstack role add --project ${PROJECTNAME} --user ${USERNAME} _member_
      $ openstack role add --project ${PROJECTNAME} --user ${USERNAME} reader

      Repeat this step for additional users required in the Level3SystemAdmin group.

Each system administrator user created should now be able to:

• to the system
  • execute linux commands based on their linux authorizations.
  • execute CLI commands based on their authorizations.
  • execute kubernetes CLI commands based on their kubernetes role bindings.
• See section: system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936.