If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.
Role Bindings, or Role Based Access Control (RBAC), contain the mapping of user, group, or service account to a role.
The following roles can be used.
Role Bindings and Security Context Constraint are similar in that they both are access control mechanisms.
In this example, the oc create rolebinding command is used to create a role binding named my-basic-users that gives user john.doe the basic-user role.
~]$ oc create rolebinding my-basic-users --role basic-user --user john.doe rolebinding.rbac.authorization.k8s.io/my-basic-users created
Or to a group.
~]$ oc create rolebinding my-basic-users --role basic-user --group my-group rolebinding.rbac.authorization.k8s.io/my-basic-users created
The oc adm policy add-role-to-user command can be used to add a role to a user.
~]# oc adm policy add-role-to-user basic-user john.doe rolebinding.rbac.authorization.k8s.io/basic-user added: "john.doe"
Or a group.
~]$ oc adm policy add-role-to-group basic-user my_group rolebinding.rbac.authorization.k8s.io/basic-user added: "my_group"
The oc adm policy remove-role-from-user command can be used to remove a role from a user.
~]# oc adm policy remove-role-from-user basic-user john.doe rolebinding.rbac.authorization.k8s.io/basic-user removed: "john.doe"
The oc adm policy remove-role-from-group command can be used to remove a role from a group.
~]$ oc adm policy remove-role-from-group basic-user my_group rolebinding.rbac.authorization.k8s.io/basic-user removed: "my_group"
The oc describe rolebinding command can then be used to see that the Role Binding has been applied to the group.
~]$ oc describe rolebinding basic-user Name: basic-user Labels: <none> Annotations: <none> Role: Kind: Role Name: basic-user Subjects: Kind Name Namespace ---- ---- --------- User john.doe Group openshift_admins ServiceAccount my-service-account
The oc adm policy who-can command can then be used to determine if the user or group has permission to perform an action on a resource, such as creating, updating, or deleting a config map, deployment, pod, project, secret, et cetera.
~]$ oc adm policy who-can create secret --namespace openshift-config Namespace: openshift-config Verb: create Resource: secrets Users: system:admin system:serviceaccount:my-project:my-service-account Groups: my-group Openshift_Admin system:cluster-admins