Re: Any alternative to "oc adm policy add-scc-to-user" ?

2018-05-25 Thread Daniel Comnea 
Right you are again, my bad as i i've mixed things up.

SCC has the equivalent of K8 PSP and not all the SCC been incorporated
(yet) into PSP.
Now is all clear in my head, thanks for taking the time to respond.




On Fri, May 25, 2018 at 9:31 AM, Vyacheslav Semushin 
wrote:

> 2018-05-25 10:23 GMT+02:00 Daniel Comnea :
>
>> Slava,
>>
>> spot on !!!
>>
>> I don't know why i was under the impression that in 3.7 RBAC been fully
>> implemented and everything on parity, guess i was wrong.
>>
>
> One doesn't exclude another: RBAC was fully implemented and replaced our
> previous mechanisms. But based on my understanding, RBAC is mostly about
> authentication/authorization so it has low relation with SCC. Also because
> SCC is our own API we didn't implement such integration before.
>
>
> --
> Slava Semushin | OpenShift
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: Any alternative to "oc adm policy add-scc-to-user" ?

2018-05-25 Thread Vyacheslav Semushin 
2018-05-25 10:23 GMT+02:00 Daniel Comnea :

> Slava,
>
> spot on !!!
>
> I don't know why i was under the impression that in 3.7 RBAC been fully
> implemented and everything on parity, guess i was wrong.
>

One doesn't exclude another: RBAC was fully implemented and replaced our
previous mechanisms. But based on my understanding, RBAC is mostly about
authentication/authorization so it has low relation with SCC. Also because
SCC is our own API we didn't implement such integration before.


-- 
Slava Semushin | OpenShift
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: Any alternative to "oc adm policy add-scc-to-user" ?

2018-05-25 Thread Daniel Comnea 
Slava,

spot on !!!

I don't know why i was under the impression that in 3.7 RBAC been fully
implemented and everything on parity, guess i was wrong.
Thank you for sharing the PR, it has very useful info there ...how on earth
i missed it ;-(

Best,
Dani

On Fri, May 25, 2018 at 8:31 AM, Vyacheslav Semushin 
wrote:

> 2018-05-24 23:16 GMT+02:00 Daniel Comnea :
>
>> Hi,
>>
>> Is any alternative to "oc adm policy add-scc-to-user" command in the
>> same way there is one for "oc create serviceaccount foo" which can
>> be achieved by
>>
>> apiVersion: v1
>>
>> kind: ServiceAccount
>>
>> metadata:
>>
>>   name: foo-sa
>>
>>   namespace: foo
>>
>>
>> I'd like to be able to put all the info in a file rather than run oc cmd
>> sequentially.
>>
>
> No, there was no alternative except editing SCC via oc edit/oc patch/etc.
>
> Since 3.10 it became possible to use ClusterRole and ClusterRoleBindings
> for such things. See related PR for details: https://github.com/openshift/
> origin/pull/19349 It also has a link to a Trello card that contains a few
> pointers.
>
>
> --
> Slava Semushin | OpenShift
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: Any alternative to "oc adm policy add-scc-to-user" ?

2018-05-25 Thread Vyacheslav Semushin 
2018-05-24 23:16 GMT+02:00 Daniel Comnea :

> Hi,
>
> Is any alternative to "oc adm policy add-scc-to-user" command in the same
> way there is one for "oc create serviceaccount foo" which can be achieved
> by
>
> apiVersion: v1
>
> kind: ServiceAccount
>
> metadata:
>
>   name: foo-sa
>
>   namespace: foo
>
>
> I'd like to be able to put all the info in a file rather than run oc cmd
> sequentially.
>

No, there was no alternative except editing SCC via oc edit/oc patch/etc.

Since 3.10 it became possible to use ClusterRole and ClusterRoleBindings
for such things. See related PR for details:
https://github.com/openshift/origin/pull/19349 It also has a link to a
Trello card that contains a few pointers.


-- 
Slava Semushin | OpenShift
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev