To prevent access to a particular build strategy globally, log in as a user with
cluster-admin privileges, remove the corresponding role from the
system:authenticated group, and apply the annotation
rbac.authorization.kubernetes.io/autoupdate: "false" to protect them from changes between
the API restarts. The following example shows disabling the docker build
strategy.
-
Apply the
rbac.authorization.kubernetes.io/autoupdateannotation:$ oc edit clusterrolebinding system:build-strategy-docker-binding apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "false" (1) creationTimestamp: 2018-08-10T01:24:14Z name: system:build-strategy-docker-binding resourceVersion: "225" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/system%3Abuild-strategy-docker-binding uid: 17b1f3d4-9c3c-11e8-be62-0800277d20bf roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:build-strategy-docker subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated-
Change the
rbac.authorization.kubernetes.io/autoupdateannotation’s value to"false".
-
-
Remove the role:
$ oc adm policy remove-cluster-role-from-group system:build-strategy-docker system:authenticated
-
Ensure the build strategy subresources are also removed from these roles:
$ oc edit clusterrole admin $ oc edit clusterrole edit
-
For each role, remove the line that corresponds to the resource of the strategy to disable.
-
Disable the Docker Build Strategy for admin:
kind: ClusterRole metadata: name: admin ... rules: - resources: - builds/custom - builds/docker (1) - builds/source ... ...
-
Delete this line to disable Docker builds globally for users with the admin role.
-
-