Securing builds by strategy

    By default, all users that can create builds are granted permission to use the docker and Source-to-image (S2I) build strategies. Users with cluster administrator privileges can enable the custom build strategy, as referenced in the restricting build strategies to a user globally section.

    You can control who can build and which build strategies they can use by using an authorization policy. Each build strategy has a corresponding build subresource. A user must have permission to create a build and permission to create on the build strategy subresource to create builds using that strategy. Default roles are provided that grant the create permission on the build strategy subresource.

    To prevent access to a particular build strategy globally, log in as a user with cluster administrator privileges, remove the corresponding role from the group, and apply the annotation rbac.authorization.kubernetes.io/autoupdate: "false" to protect them from changes between the API restarts. The following example shows disabling the docker build strategy.

    Procedure

    1. Apply the rbac.authorization.kubernetes.io/autoupdate annotation:

      Example output

      1. apiVersion: rbac.authorization.k8s.io/v1
      2. kind: ClusterRoleBinding
      3. metadata:
      4.   annotations:
      5.     rbac.authorization.kubernetes.io/autoupdate: "false" (1)
      6.   creationTimestamp: 2018-08-10T01:24:14Z
      7.   name: system:build-strategy-docker-binding
      8.   resourceVersion: "225"
      9.   selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/system%3Abuild-strategy-docker-binding
      10. roleRef:
      12.   kind: ClusterRole
      13.   name: system:build-strategy-docker
      14. subjects:
      15. - apiGroup: rbac.authorization.k8s.io
      16.   kind: Group
      17.   name: system:authenticated

    2. Remove the role:

      1. $ oc edit clusterrole admin

    4. For each role, remove the line that corresponds to the resource of the strategy to disable.

      1. Disable the docker Build Strategy for admin:

        1. metadata:
        2.   name: admin
        3. ...
        5. - resources:
        6.   - builds/custom
        7.   - builds/docker (1)
        8.   - builds/source
        9.   ...
        10. ...

    You can allow a set of specific users to create builds with a particular strategy.

    Prerequisites

    • Disable global access to the build strategy.

    Procedure

    • Assign the role that corresponds to the build strategy to a specific user. For example, to add the system:build-strategy-docker cluster role to the user devuser:

    Similar to granting the build strategy role to a user globally, you can allow a set of specific users within a project to create builds with a particular strategy.

    Prerequisites

    • Disable global access to the build strategy.