OpenShift - List Role Bindings

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

Role Bindings, or Role Based Access Control (RBAC), contain the mapping of user, group, or service account to a role.

  • Cluster Role Bindings gives a user, group or service account a certain role for every project/namespace
  • Role Bindings gives a user, group or service account a certain role for a specific project/namespace

The following roles can be used.

  • admin - Allowed to view and edit/modify all resources except for quota
  • basic-user - no access to projects or resources (i'm not sure why you would ever want to apply this role to a user)
  • cluster-admin - full control
  • cluster-status - view basic cluster status information
  • cluster-reader - allowed to view, but cannot edit or modify
  • edit - allowed to view and edit certain resources such as deployments/pods/services/routes but not allowed to view or edit resources such as role bindings
  • self-provisioner - user can create their own projects
  • view - allowed to view resources, but cannot edit or modify resources

Role Bindings and Security Context Constraint are similar in that they both are access control mechanisms.

  • Role Bindings are used to control what an OpenShift Users are allowed to do
  • Security Context Constraints are used to control what pods are allowed to do

The oc adm policy command can be used to:

The oc get rolebindings command can be used to:

  • List the Users, Groups, and Service Accounts that have been appended to one of the 8 default Role Bindings
  • List the custom Role Bindings that have been created


The -A or --all-namespaces flag can be used to list the Role Bindings in every namespace.

The -n or --namespace flag can be used to list the Role Bindings in a certain namespace.

In this example, one or more Users, Groups or Service Accounts have been appended to the default basic-user Role Binding.

The Role Bindings that begin with my-role are custom Role Bindings that have been created. Check out my article on using the oc create rolebinding or oc create clusterrolebinding to create a custom Role Binding.

Notice also there is a basic-user-0 Role Binding. When you add the first User, Group or Service Account to one of the system Role Bindings using the oc adm policy command, this will create the Role Binding in the currently selected namespace (basic-user in this example). If you then added a second User, Group or Service Account to the same Role Binding oc adm policy command and you do not use the --rolebinding-name option, this will create another Role Binding with -0 appended (basic-user-0 in this example).

~]$ oc get rolebindings
NAME                         ROLE                            AGE
basic-user                   ClusterRole/basic-user           8d
basic-user-0                 ClusterRole/basic-user           8d
my-role-admins               ClusterRole/admin               10d
my-role-cluster-admins       ClusterRole/cluster-admin       10d
my-role-cluster-status       ClusterRole/cluster-status      10d
my-role-cluster-readers      ClusterRole/cluster-reader      10d
my-role-editors              ClusterRole/edit                10d
my-role-self-provisioners    ClusterRole/self-provisioner    10d
my-role-viewers              ClusterRole/view                10d


The oc get clusterrolebindings command can be used to list the Cluster Role Bindings that have been created.

~]$ oc get clusterrolebindings
NAME                         ROLE                            AGE
basic-users                  ClusterRole/basic-user          10d
cluster-admins               ClusterRole/cluster-admin       10d
view                         ClusterRole/view                10d


The oc describe rolebinding and oc describe clusterrolebinding commands can be used to list the Users, Groups and Service Accounts associated with the Role Binding.

~]$ oc describe rolebinding my-basic-users
Name:         my-basic-users
Labels:       <none>
Annotations:  <none>
  Kind:  RoleBinding
  Name:  my-basic-users
  Kind            Name              Namespace
  ----            ----              ---------
  User            john.doe
  Group           openshift_admins
  ServiceAccount  my-service-account


Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 51390 in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |