Correcting Instructions to Disable Build Strategy

adambkaplan · adambkaplan · commit 13c6634afd3a · 2024-09-19T12:36:04.000-04:00
The documentation for disabling builds by strategy was at one point updated to include inaccurate instructions [1]. When followed end to end, these instructions granted the `admin` and `edit` user roles permission to run builds with the `Source` and `Custom` build strategies. The latter build strategy is particularly dangerous, as it grants users permission to execute arbitrary commands in a privileged container. This change restores these instructions to the original intent of verifying that the `admin` and `edit` user roles do not have permission to create Docker strategy builds. It also simplifies the instruction to add the `autoupdate=false` RBAC annotation. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1923869 Signed-off-by: Adam Kaplan <adam.kaplan@redhat.com>
diff --git a/modules/builds-disabling-build-strategy-globally.adoc b/modules/builds-disabling-build-strategy-globally.adoc
@@ -15,32 +15,8 @@ To prevent access to a particular build strategy globally, log in as a user with
 +
 [source,terminal]
 ----
-$ oc edit clusterrolebinding system:build-strategy-docker-binding
+$ oc annotate clusterrolebinding.rbac system:build-strategy-docker-binding 'rbac.authorization.kubernetes.io/autoupdate=false' --overwrite
 ----
-+
-.Example output
-[source,yaml]
-----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  annotations:
-    rbac.authorization.kubernetes.io/autoupdate: "false" <1>
-  creationTimestamp: 2018-08-10T01:24:14Z
-  name: system:build-strategy-docker-binding
-  resourceVersion: "225"
-  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/system%3Abuild-strategy-docker-binding
-  uid: 17b1f3d4-9c3c-11e8-be62-0800277d20bf
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:build-strategy-docker
-subjects:
-- apiGroup: rbac.authorization.k8s.io
-  kind: Group
-  name: system:authenticated
-----
-<1> Change the `rbac.authorization.kubernetes.io/autoupdate` annotation's value to `"false"`.
 
 . Remove the role by entering the following command:
 +
@@ -49,45 +25,14 @@ subjects:
 $ oc adm policy remove-cluster-role-from-group system:build-strategy-docker system:authenticated
 ----
 
-. Ensure the build strategy subresources are also removed from these roles:
+. Ensure the build strategy subresources are also removed from the `admin` and `edit` user roles:
 +
 [source,terminal]
 ----
-$ oc edit clusterrole admin
+$ oc get clusterrole admin -o yaml | grep "builds/docker"
 ----
 +
 [source,terminal]
 ----
-$ oc edit clusterrole edit
-----
-
-. For each role, specify the subresources that correspond to the resource of the strategy to disable.
-
-.. Disable the docker Build Strategy for *admin*:
-+
-[source,yaml]
-----
-kind: ClusterRole
-metadata:
-  name: admin
-...
-- apiGroups:
-  - ""
-  - build.openshift.io
-  resources:
-  - buildconfigs
-  - buildconfigs/webhooks
-  - builds/custom <1>
-  - builds/source
-  verbs:
-  - create
-  - delete
-  - deletecollection
-  - get
-  - list
-  - patch
-  - update
-  - watch
-...
+$ oc get clusterrole edit -o yaml | grep "builds/docker"
 ----
-<1> Add `builds/custom` and `builds/source` to disable docker builds globally for users with the *admin* role.
