OpenShift - Create Role Binding

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

Role Bindings, or Role Based Access Control (RBAC), contain the mapping of user, group, or service account to a role.

  • Cluster Role Bindings gives a user, group or service account a certain role for every project/namespace
  • Role Bindings gives a user, group or service account a certain role for a specific project/namespace

The following roles can be used.

  • admin - Allowed to view and edit/modify all resources except for quota
  • basic-user - no access to projects or resources (i'm not sure why you would ever want to apply this role to a user)
  • cluster-admin - full control
  • cluster-status - view basic cluster status information
  • cluster-reader - allowed to view, but cannot edit or modify
  • edit - allowed to view and edit certain resources such as deployments/pods/services/routes but not allowed to view or edit resources such as role bindings
  • self-provisioner - user can create their own projects
  • view - allowed to view resources, but cannot edit or modify resources

Role Bindings and Security Context Constraint are similar in that they both are access control mechanisms.

  • Role Bindings are used to control what an OpenShift Users are allowed to do
  • Security Context Constraints are used to control what pods are allowed to do

In this example, the oc create rolebinding command is used to create a role binding named my-basic-users that gives user john.doe the basic-user role.

~]$ oc create rolebinding my-basic-users --role basic-user --user john.doe
rolebinding.rbac.authorization.k8s.io/my-basic-users created

 

Or to a group.

~]$ oc create rolebinding my-basic-users --role basic-user --group my-group
rolebinding.rbac.authorization.k8s.io/my-basic-users created

 

The oc adm policy add-role-to-user command can be used to add a role to a user.

~]# oc adm policy add-role-to-user basic-user john.doe
rolebinding.rbac.authorization.k8s.io/basic-user added: "john.doe"

 

Or a group.

~]$ oc adm policy add-role-to-group basic-user my_group
rolebinding.rbac.authorization.k8s.io/basic-user added: "my_group"

 

The oc adm policy remove-role-from-user command can be used to remove a role from a user.

~]# oc adm policy remove-role-from-user basic-user john.doe
rolebinding.rbac.authorization.k8s.io/basic-user removed: "john.doe"

 

The oc adm policy remove-role-from-group command can be used to remove a role from a group.

~]$ oc adm policy remove-role-from-group basic-user my_group
rolebinding.rbac.authorization.k8s.io/basic-user removed: "my_group"

 

The oc describe rolebinding command can then be used to see that the Role Binding has been applied to the group.

~]$ oc describe rolebinding basic-user
Name:         basic-user
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  basic-user
Subjects:
  Kind            Name              Namespace
  ----            ----              ---------
  User            john.doe
  Group           openshift_admins
  ServiceAccount  my-service-account

 

The oc adm policy who-can command can then be used to determine if the user or group has permission to perform an action on a resource, such as creating, updating, or deleting a config map, deployment, pod, project, secret, et cetera.

~]$ oc adm policy who-can create secret --namespace openshift-config

Namespace: openshift-config
Verb:      create
Resource:  secrets

Users:  system:admin
        system:serviceaccount:my-project:my-service-account
Groups: my-group
        Openshift_Admin
        system:cluster-admins

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter fc646 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |