From 8d0839294a934847223103f9be5e2eca4ed7f593 Mon Sep 17 00:00:00 2001
From: Aline Abler <aline.abler@vshn.ch>
Date: Wed, 20 Sep 2023 11:31:15 +0200
Subject: [PATCH] Add documentation for disabling self provisioning

---
 .../disable-self-provisioning.adoc            | 32 +++++++++++++++++++
 docs/modules/ROOT/partials/nav.adoc           |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 docs/modules/ROOT/pages/how-tos/authentication/disable-self-provisioning.adoc

diff --git a/docs/modules/ROOT/pages/how-tos/authentication/disable-self-provisioning.adoc b/docs/modules/ROOT/pages/how-tos/authentication/disable-self-provisioning.adoc
new file mode 100644
index 00000000..666fc773
--- /dev/null
+++ b/docs/modules/ROOT/pages/how-tos/authentication/disable-self-provisioning.adoc
@@ -0,0 +1,32 @@
+= Disable access to one or more OpenShift 4 clusters
+
+[abstract]
+This guide describes how to remove permission for users to self-provision projects on OpenShift 4 clusters.
+It's based on https://docs.openshift.com/container-platform/4.13/applications/projects/configuring-project-creation.html#disabling-project-self-provisioning_configuring-project-creation[this OpenShift documentation].
+
+== Prerequisites
+
+* Access to the respective cluster's tenant repository.
+
+== Procedure
+
+To disable self-provisioning, patch the `self-provisioners` CRB with the following `Patch` (for example via adhoc-configurations):
+
+[source,yaml]
+----
+kind: Patch
+metadata:
+  name: self-provisioning
+spec:
+  patches:
+    self-provisioning-patch:
+      patchTemplate: |-
+        [{"op": "remove", "path": "/subjects/0"}]
+      patchType: application/json-patch+json
+      targetObjectRef:
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRoleBinding
+        name: self-provisioners
+----
+
+Roll out this patch and verify it applies. This disables self-provisioning for general authenticated users.
\ No newline at end of file
diff --git a/docs/modules/ROOT/partials/nav.adoc b/docs/modules/ROOT/partials/nav.adoc
index b8bce993..71c5af4d 100644
--- a/docs/modules/ROOT/partials/nav.adoc
+++ b/docs/modules/ROOT/partials/nav.adoc
@@ -97,6 +97,7 @@
 * Authentication
 ** xref:oc4:ROOT:how-tos/authentication/sudo.adoc[]
 ** xref:oc4:ROOT:how-tos/authentication/disable-access.adoc[Disable per cluster access]
+** xref:oc4:ROOT:how-tos/authentication/disable-self-provisioning.adoc[Disable project self-provisioning]
 ** xref:oc4:ROOT:explanations/sudo.adoc[]
 
 // Networking