Closed NickCorcoran closed 3 years ago
Requirements for User provisioning for OpenShift (AG):
Could include inventory of user access management?
Could have an user search capability?
Could we make some automated solution?
Could follow core Government policy?
Could include history of user /User provisioning
Who has requested?
When it is requested
What role(s) are assigned
When user access to the platform?
etc.
Could include the Version control of YAML file?
Could have the disaster recovery?
Initial meeting discussion notes
Goals:
40+ applications (160 namespaces? 😯)
Developers may be added to single namespace, or multiple namespaces
Turnover in developers can be high at times
Four roles assigned to users in AG namespaces: -- admin (highest project/namespace level configuration) -- edit (can do most things as admin, but not configure rolebindings) -- devedit (can do most things as edit, but cannot view/CRUD secrets) -- useradmin (cannot do anything but create rolebindings within a namespace)
Currently managed with yaml files, using "oc apply" -- When deleting a user, it's a manual process to search for the username across all files, delete, then apply the changes -- When adding a user, must go into multiple files (for each application they are supporting)
Additional questions, I may have missed it in Ryan's presentation on October 20th,:
Options to consider/discuss:
Tremolo security recommended by RedHat as a tool other orgs use for user access management: https://app.zenhub.com/workspaces/platform-experience-5bb7c5ab4b5806bc2beb9d15/issues/bcdevops/developer-experience/1704