Fortinet white logo
Fortinet white logo

Online Help

Openshift Account Configuration

Openshift Account Configuration

Follow each section below to configure Openshift cluster account before adding the Openshift account credential to Container Protection. The Openshift account user needs to be the cluster administrator.

Obtain Openshift Cluster API Address

Create OpenShift Service Account

Create a Cluster Role

Create RoleBindings

Obtain Service Account Token

Obtain Openshift Cluster API Address

  1. Log into the OpenShift cluster console with your administrator account.
  2. From OpenShift cluster console navigation pane, go to Home > Overview.
  3. Make a note of the Cluster API address.

Create OpenShift Service Account

  1. From OpenShift cluster console navigation pane, go to User Management > ServiceAccounts.
  2. Click Create ServiceAccount.
  3. Fill in a name for the service account, and keep the rest of the YAML definitions as is.
  4. Click Create to create the service account.

Note: Make a note of the service account created and use it later in other configuration.

Create a Cluster Role

  1. From OpenShift cluster console navigation pane, go to User Management > Roles to enter Roles page.
  2. Click Create Role to create role.
  3. Use the minimum YAML definitions requirement below except the role name. Please enter a role name of your choice.
  4. kind: ClusterRole

    apiVersion: rbac.authorization.k8s.io/v1

    metadata:

    name: (user-defined)

    selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/alfredrole

    uid: 18ab3197-3cf0-4340-8b57-74db943b20b8

    resourceVersion: '5880313'

    creationTimestamp: '2021-03-24T22:48:04Z'

    managedFields:

    - manager: Mozilla

    operation: Update

    apiVersion: rbac.authorization.k8s.io/v1

    time: '2021-03-24T22:48:04Z'

    fieldsType: FieldsV1

    fieldsV1:

    'f:rules': {}

    rules:

    - verbs:

    - get

    - watch

    - list

    apiGroups:

    - image.openshift.io

    resources:

    - images

    - imagestreamimages

    - imagestreams

    - imagestreams/layers

  5. Click Create to finish creating role.

Note: Make a note of the role name and use it later in other configuration.

Create RoleBindings

  1. From OpenShift cluster console navigation pane, go to User Management > RoleBindings to enter RoleBindings page.
  2. Click Create binding to create role binding with the service account.
  3. In Binding type, select "Cluster-wide role binding (ClusterRoleBinding)".
  4. Fill in a RoleBinding name of your choice. Click Role name drop down button and select the role created earlier.
  5. In Subject, select serviceAccount. Click Namespace drop down menu and select openshift-image-registry.
  6. In Subject name field, give a Subject name of your choice.

Obtain Service Account Token

  1. From OpenShift cluster console navigation pane, go to User Management > Service Accounts to enter ServiceAccounts page.
  2. Click on the service account created previously. Scroll down to Secrets section, and click on the secret with the type "kubernetes.io/service-account-token".
  3. In Secret Details page, scroll down and locate the token, click on Copy to Clipboard to copy the token for later use.

Openshift Account Configuration

Openshift Account Configuration

Follow each section below to configure Openshift cluster account before adding the Openshift account credential to Container Protection. The Openshift account user needs to be the cluster administrator.

Obtain Openshift Cluster API Address

Create OpenShift Service Account

Create a Cluster Role

Create RoleBindings

Obtain Service Account Token

Obtain Openshift Cluster API Address

  1. Log into the OpenShift cluster console with your administrator account.
  2. From OpenShift cluster console navigation pane, go to Home > Overview.
  3. Make a note of the Cluster API address.

Create OpenShift Service Account

  1. From OpenShift cluster console navigation pane, go to User Management > ServiceAccounts.
  2. Click Create ServiceAccount.
  3. Fill in a name for the service account, and keep the rest of the YAML definitions as is.
  4. Click Create to create the service account.

Note: Make a note of the service account created and use it later in other configuration.

Create a Cluster Role

  1. From OpenShift cluster console navigation pane, go to User Management > Roles to enter Roles page.
  2. Click Create Role to create role.
  3. Use the minimum YAML definitions requirement below except the role name. Please enter a role name of your choice.
  4. kind: ClusterRole

    apiVersion: rbac.authorization.k8s.io/v1

    metadata:

    name: (user-defined)

    selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/alfredrole

    uid: 18ab3197-3cf0-4340-8b57-74db943b20b8

    resourceVersion: '5880313'

    creationTimestamp: '2021-03-24T22:48:04Z'

    managedFields:

    - manager: Mozilla

    operation: Update

    apiVersion: rbac.authorization.k8s.io/v1

    time: '2021-03-24T22:48:04Z'

    fieldsType: FieldsV1

    fieldsV1:

    'f:rules': {}

    rules:

    - verbs:

    - get

    - watch

    - list

    apiGroups:

    - image.openshift.io

    resources:

    - images

    - imagestreamimages

    - imagestreams

    - imagestreams/layers

  5. Click Create to finish creating role.

Note: Make a note of the role name and use it later in other configuration.

Create RoleBindings

  1. From OpenShift cluster console navigation pane, go to User Management > RoleBindings to enter RoleBindings page.
  2. Click Create binding to create role binding with the service account.
  3. In Binding type, select "Cluster-wide role binding (ClusterRoleBinding)".
  4. Fill in a RoleBinding name of your choice. Click Role name drop down button and select the role created earlier.
  5. In Subject, select serviceAccount. Click Namespace drop down menu and select openshift-image-registry.
  6. In Subject name field, give a Subject name of your choice.

Obtain Service Account Token

  1. From OpenShift cluster console navigation pane, go to User Management > Service Accounts to enter ServiceAccounts page.
  2. Click on the service account created previously. Scroll down to Secrets section, and click on the secret with the type "kubernetes.io/service-account-token".
  3. In Secret Details page, scroll down and locate the token, click on Copy to Clipboard to copy the token for later use.