Red Hat Bugzilla – Bug 1249154
Adding policy role to use to do push in registry.
Last modified: 2017-12-28 07:08:26 EST
Document URL: https://docs.openshift.com/enterprise/3.0/admin_guide/install/docker_registry.html#securing-the-registry
Section Number and Name: Step 11
Describe the issue:
No where in the set up does it say that you must add a policy to the users. Unable to complete steps with out knowledge of this.
Suggestions for improvement:
[root@master]# oc policy add-role-to-user admin trey -n default
[root@master]# oc policy add-role-to-user admin trey -n openshift
more explanation on why you much have these role for the users in both project in order to push images in the docker registry container.
"admin" on "default" and "openshift" is too wide a role for the permission you're trying to grant. "system:image-builder" is more appropriate, but we still haven't fully baked whether we want to encourage binding users to system roles (liggitt on copy for an opinion).
Now about what you're trying to do overall. I would not expect average users to be able to push images into "default" and "openshift". Ordinarily, you'd have a user pushing images to the repository for his own project and admins and editors already have permissions to do that. Are you looking to grant someone permission to push shared images? If so, do you envision that being a manual or automated process? Such distinctions are important for proper descriptions in the doc.
Normal users shouldn't have admin/edit/view roles in the default or openshift projects, only in their own projects.
I'd tend to lean towards using the admin,edit,view roles for normal users, rather than roles like system:image-builder.
If you want to give a normal (non-cluster-admin) user permission to push images to the openshift namespace, but don't want to give them edit access in that namespace, that should probably be a red flag that you are doing something unusual.
Based on David and Jordan's responses, I am going to close this bug as WONTFIX. Please reopen if more information can be provided.