Openshift Account Configuration
Follow each section below to configure Openshift cluster account before adding the Openshift account credential to Container Protection. The Openshift account user needs to be the cluster administrator.
Obtain Openshift Cluster API Address
Create OpenShift Service Account
Obtain Openshift Cluster API Address
- Log into the OpenShift cluster console with your administrator account.
- From OpenShift cluster console navigation pane, go to Home > Overview.
- Make a note of the Cluster API address.
Create OpenShift Service Account
- From OpenShift cluster console navigation pane, go to User Management > ServiceAccounts.
- Click Create ServiceAccount.
- Fill in a name for the service account, and keep the rest of the YAML definitions as is.
- Click Create to create the service account.
Note: Make a note of the service account created and use it later in other configuration.
Create a Cluster Role
- From OpenShift cluster console navigation pane, go to User Management > Roles to enter Roles page.
- Click Create Role to create role.
- Use the minimum YAML definitions requirement below except the role name. Please enter a role name of your choice.
- Click Create to finish creating role.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: (user-defined)
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/alfredrole
uid: 18ab3197-3cf0-4340-8b57-74db943b20b8
resourceVersion: '5880313'
creationTimestamp: '2021-03-24T22:48:04Z'
managedFields:
- manager: Mozilla
operation: Update
apiVersion: rbac.authorization.k8s.io/v1
time: '2021-03-24T22:48:04Z'
fieldsType: FieldsV1
fieldsV1:
'f:rules': {}
rules:
- verbs:
- get
- watch
- list
apiGroups:
- image.openshift.io
resources:
- images
- imagestreamimages
- imagestreams
- imagestreams/layers
Note: Make a note of the role name and use it later in other configuration.
Create RoleBindings
- From OpenShift cluster console navigation pane, go to User Management > RoleBindings to enter RoleBindings page.
- Click Create binding to create role binding with the service account.
- In Binding type, select "Cluster-wide role binding (ClusterRoleBinding)".
- Fill in a RoleBinding name of your choice. Click Role name drop down button and select the role created earlier.
- In Subject, select serviceAccount. Click Namespace drop down menu and select openshift-image-registry.
- In Subject name field, give a Subject name of your choice.
Obtain Service Account Token
- From OpenShift cluster console navigation pane, go to User Management > Service Accounts to enter ServiceAccounts page.
- Click on the service account created previously. Scroll down to Secrets section, and click on the secret with the type "kubernetes.io/service-account-token".
- In Secret Details page, scroll down and locate the token, click on Copy to Clipboard to copy the token for later use.