From 339dab28c814f837d375cbc808ea78ba3ba9fd56 Mon Sep 17 00:00:00 2001 From: Aline Abler Date: Tue, 2 Apr 2024 11:24:08 +0200 Subject: [PATCH] Add example for editing resource quota permissions --- .../how-to/fine-grained-access-examples.adoc | 24 +++++++++++++++++++ .../pages/how-to/lower-resource-quotas.adoc | 4 ++-- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/docs/modules/ROOT/pages/how-to/fine-grained-access-examples.adoc b/docs/modules/ROOT/pages/how-to/fine-grained-access-examples.adoc index b64f4bc..d4e4876 100644 --- a/docs/modules/ROOT/pages/how-to/fine-grained-access-examples.adoc +++ b/docs/modules/ROOT/pages/how-to/fine-grained-access-examples.adoc @@ -138,3 +138,27 @@ subjects: """ done ---- + +== Give a team or user permissions to manage resource quotas in a project + +. Remove the user from the `organization` group + +. Add the user or team which should have permission to manage resource quotas to the role binding `resource-quota-edit` in the required projects. ++ +[source,bash] +---- +ORGANIZATION=mycompany +TEAM=developers +PROJECT=mycompany-web-portal + +oc -n "${PROJECT}" patch rolebinding resource-quota-edit -oyaml --patch """ +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: ${ORGANIZATION} + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: ${ORGANIZATION}+${TEAM} +""" +done +---- diff --git a/docs/modules/ROOT/pages/how-to/lower-resource-quotas.adoc b/docs/modules/ROOT/pages/how-to/lower-resource-quotas.adoc index d8455c8..edb990b 100644 --- a/docs/modules/ROOT/pages/how-to/lower-resource-quotas.adoc +++ b/docs/modules/ROOT/pages/how-to/lower-resource-quotas.adoc @@ -37,9 +37,9 @@ For further reference on ResourceQuota objects, refer to the https://kubernetes. == Preventing other users from editing the ResourceQuota object In a shared project, it's often desirable to restrict access to ResourceQuota objects, to prevent others from circumventing the quota by simply increasing it. -This can be achieved using Kubernetes rbac. +This can be achieved using Kubernetes RBAC. -Permissions to managing ResourceQuota objects are governed by the `resource-quota-edit` RoleBinding, which is created automatically in each project by {product}. +Permissions to manage ResourceQuota objects are governed by the `resource-quota-edit` RoleBinding, which is created automatically in each project by {product}. {product} users may freely edit this RoleBinding to suit their needs. By default, every user in the project's organization has permission to manage ResourceQuota objects.