Red Hat OpenShift allows for customization of the console login pages to meet customer requirements. One requirement for United States Government (USG) customers is to display a legal acknowledgment to users before they are authenticated (USG Banner Reference). This post steps through the process to customize OpenShift login pages with an acknowledgment. Code from this post is available on GitHub here.
OpenShift's login screen is comprised of 3 distinct pages: Login, Providers, and Error.
Login (login.html
)
The Login page contains the username/password form used for local authentication, such as htpasswd or kube:admin. This is the page you see on a fresh cluster install when only kube:admin authentication is enabled. If only one local authentication method is configured, this page will be displayed when an unauthenticated user attempts to access the console.
Providers (providers.html
)
The Providers page contains a list of available authentication providers. It is only displayed when two or more authentication providers are configured in OpenShift. If two or more authentication providers are configured, this page will be displayed when an unauthenticated user attempts to access the console.
Error (errors.html
)
The Error page is only displayed when authentication errors occur.
Configuration
Depending on how cluster authentication is configured, both login and providers pages may need to be customized to show the acknowledgment. It doesn't hurt to customize all three pages though, even if one of the pages is never shown to a user.
OpenShift documentation details the process to customize the login screen under Customizing the login page. This process from the docs starts with bare, unstyled pages for login, providers, and error. Unless your organization has a specific theme to apply, it's easier to grab the default themed pages directly from the authentication pods.
Log into OpenShift on the command line with oc
and run:
POD=$(oc get pods -n openshift-authentication -o name | head -n 1)
oc exec -n openshift-authentication "$POD" -- cat /var/config/system/secrets/v4-0-config-system-ocp-branding-template/errors.html > errors.html
oc exec -n openshift-authentication "$POD" -- cat /var/config/system/secrets/v4-0-config-system-ocp-branding-template/login.html > login.html
oc exec -n openshift-authentication "$POD" -- cat /var/config/system/secrets/v4-0-config-system-ocp-branding-template/providers.html > providers.html
Edit all three documents, errors.html, login.html, and providers.html. In the body of each document, under <div class="pf-c-login__main-body">
, add:
<p>
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
</p>
<ul style="list-style-type: disc; margin-bottom: 2em;">
<li style="margin: .5em 0;">The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.</li>
<li style="margin: .5em 0;">At any time, the USG may inspect and seize data stored on this IS.</li>
<li style="margin: .5em 0;">Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.</li>
<li style="margin: .5em 0;">This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.</li>
<li style="margin: .5em 0;">Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.</li>
</ul>
Save the changes to all documents.
To apply the customizations to OpenShift, each document needs to be put into a secret in the openshift-config namespace.
oc create secret generic error-template --from-file=errors.html -n openshift-config
oc create secret generic login-template --from-file=login.html -n openshift-config
oc create secret generic providers-template --from-file=providers.html -n openshift-config
Finally, patch the oauth/cluster object to tell OpenShift to use the new templates.
oc patch oauths cluster --type=json -p='[ { "op": "add", "path": "/spec/templates", "value": { "error": { "name": "error-template" }, "providerSelection": { "name": "providers-template" }, "login": { "name": "login-template" } } } ]'
After the patch, oc get oauth cluster -o yaml
should contain:
spec:
templates:
error:
name: error-template
login:
name: login-template
providerSelection:
name: providers-template
Patching the oauth/cluster object will cause the authentication cluster operator to deploy new pods into the openshift-authentication namespace. This rollout brings down pods one at a time so it may take several minutes for the rollout to complete. You can monitor the cluster operator progress with:
oc get co # "co" is short for "clusteroperator"
Once the operator reports back "Ready", log out of OpenShift and navigate back to the console.
It should redirect you to a login page that looks like this if only one authentication provider (kube:admin or htpasswd) is configured:
It should look like this if multiple authentication providers are configured:
The error page will look like this:
Bonus: Customize the Login Page Across a Multi-Cluster Fleet
This customization can be deployed through Red Hat Advanced Cluster Management (ACM) for Kubernetes. Using Governance Policy in ACM, an OpenShift administrator can configure login customizations once, then deploy to all clusters.
The policy object is too lengthy to post inline. Instead, grab acm-policy.yaml from GitHub. This file contains templates of the three authentication pages, base64 encoded in secrets, and the oauth/cluster configuration. The policy targets all available clusters, meaning each available cluster will have all 4 templates deployed to it.
To deploy, log in to the ACM hub cluster with oc
, cd
to the directory with acm-policy.yaml, and run:
oc create -f acm-policy.yaml
After deploying, check the status on the Governance page in the ACM web console.
The status on all clusters will briefly show as non-compliant. Because the policy is set to enforce, within a few seconds, the policy will be pushed to all non-compliant clusters.
Once the template resources exist on a cluster, it will report back as compliant. Note that, same as the manual configuration, it will take a few minutes for the authentication operator to roll out new pods even after ACM shows a cluster as compliant.
Sull'autore
Altri risultati simili a questo
Ricerca per canale
Automazione
Novità sull'automazione IT di tecnologie, team e ambienti
Intelligenza artificiale
Aggiornamenti sulle piattaforme che consentono alle aziende di eseguire carichi di lavoro IA ovunque
Hybrid cloud open source
Scopri come affrontare il futuro in modo più agile grazie al cloud ibrido
Sicurezza
Le ultime novità sulle nostre soluzioni per ridurre i rischi nelle tecnologie e negli ambienti
Edge computing
Aggiornamenti sulle piattaforme che semplificano l'operatività edge
Infrastruttura
Le ultime novità sulla piattaforma Linux aziendale leader a livello mondiale
Applicazioni
Approfondimenti sulle nostre soluzioni alle sfide applicative più difficili
Serie originali
Raccontiamo le interessanti storie di leader e creatori di tecnologie pensate per le aziende
Prodotti
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Servizi cloud
- Scopri tutti i prodotti
Strumenti
- Formazione e certificazioni
- Il mio account
- Supporto clienti
- Risorse per sviluppatori
- Trova un partner
- Red Hat Ecosystem Catalog
- Calcola il valore delle soluzioni Red Hat
- Documentazione
Prova, acquista, vendi
Comunica
- Contatta l'ufficio vendite
- Contatta l'assistenza clienti
- Contatta un esperto della formazione
- Social media
Informazioni su Red Hat
Red Hat è leader mondiale nella fornitura di soluzioni open source per le aziende, tra cui Linux, Kubernetes, container e soluzioni cloud. Le nostre soluzioni open source, rese sicure per un uso aziendale, consentono di operare su più piattaforme e ambienti, dal datacenter centrale all'edge della rete.
Seleziona la tua lingua
Red Hat legal and privacy links
- Informazioni su Red Hat
- Opportunità di lavoro
- Eventi
- Sedi
- Contattaci
- Blog di Red Hat
- Diversità, equità e inclusione
- Cool Stuff Store
- Red Hat Summit