Solved: system:authenticated:oauth - DO280 ch03s05

bibbinator · ‎07-24-2023

In Chapter 3 Section 5 - "Configuring Authentication and Authorization" - how do you find the groups so you can do part 4? Specifically where can I get the group name 'system:authenticated:oauth' used in 4.2?

Chetan_Tiwary_ · ‎07-24-2023

Hello @bibbinator !

Thanks for reaching out !

Please refer here : https://kubernetes.io/docs/reference/access-authn-authz/rbac/

This is the group from which the self-provisioner cluster role will be removed. system:authenticated:oauth is a virtual group that represents all users who have been authenticated using OAuth.

In the step 4 in ch03s05 : the system:authenticated:oauth group name is used to specify the group that the self-provisioner cluster role should be removed from. This means that users who are members of the system:authenticated:oauth group will no longer be able to use the self-provisioner cluster role.

You can check the same in your system( as a cluster-admin) using the command :

oc describe clusterrolebinding.rbac self-provisioner

View solution in original post

alexcorcoles · ‎07-24-2023

In the previous GE, in step 2.1 you examine the self-provisioners cluster role binding, and there you learn that the self-provisioner cluster role is assigned to the system:authenticated:oauth group.

However, although the lecture shows the self-provisioner role, you may consider that the lecture does not provide enough detail to complete the review lab if you didn't do the GE, so there might be a small gap there.

I would suggest, though, that if you want further discussion, open a separate topic (so it's easier for others to see your comment), or use the feedback button in the course to report an issue (I found no existing issue about topic).

View solution in original post

Chetan_Tiwary_ · ‎07-24-2023

Hello @bibbinator !

Thanks for reaching out !

Please refer here : https://kubernetes.io/docs/reference/access-authn-authz/rbac/

This is the group from which the self-provisioner cluster role will be removed. system:authenticated:oauth is a virtual group that represents all users who have been authenticated using OAuth.

In the step 4 in ch03s05 : the system:authenticated:oauth group name is used to specify the group that the self-provisioner cluster role should be removed from. This means that users who are members of the system:authenticated:oauth group will no longer be able to use the self-provisioner cluster role.

You can check the same in your system( as a cluster-admin) using the command :

oc describe clusterrolebinding.rbac self-provisioner

alexcorcoles · ‎07-24-2023

In the previous GE, in step 2.1 you examine the self-provisioners cluster role binding, and there you learn that the self-provisioner cluster role is assigned to the system:authenticated:oauth group.

However, although the lecture shows the self-provisioner role, you may consider that the lecture does not provide enough detail to complete the review lab if you didn't do the GE, so there might be a small gap there.

I would suggest, though, that if you want further discussion, open a separate topic (so it's easier for others to see your comment), or use the feedback button in the course to report an issue (I found no existing issue about topic).

bibbinator · ‎07-24-2023

I'm an experienced K8's user and I think this question is missing important background information.

It looks as though there is no way to look up user to group affiliations via oc?

Is this correct?

alexcorcoles · ‎07-25-2023

IIRC, you can lookup group members. However, I think system:authenticated:oauth is a special "virtual" group that includes all authenticated users, and I believe if you look up members, OpenShift will not show members (for other groups it will). IIRC, there's another virtual group for unauthenticated users.