If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.
Here is a basic illustration of how a user, group or service account get mapped to permissions.
The oc get groups command can be used to list the groups that have been created, and the members of each group.
~]$ oc get groups
NAME USERS
my-group-admins john.doe
my-group-cluster-admins jane.doe
my-group-cluster-status jack.doe
my-group-cluster-readers james.doe jasper.doe
my-group-editors jackson.doe jordan.doe
my-group-self-provisioners julie.doe jose.doe
my-group-viewers josh.doe jeremy.doe
A group is almost always associated with a Role Binding so it might be a good design to have the groups match the Role Bindings.
| Group Name | Role |
|---|---|
| my-group-admins | admin |
| my-group-cluster-admins | cluster-admin |
| my-group-cluster-status | cluster-status |
| my-group-cluster-readers | cluster-reader |
| my-group-editors | edit |
| my-group-self-provisioners | self-provisioner |
| my-group-viewers | view |
The oc describe group can display a bit more information about a group.
~]$ oc describe group my-group-admins
Name: my-group-admins
Created: 28 seconds ago
Labels: <none>
Annotations: <none>
Users: jane.doe
Or, the oc get groups command with the --output json or --output yaml option can be used.
~]$ oc get groups my-group-admins --output json
{
"apiVersion": "user.openshift.io/v1",
"kind": "Group",
"metadata": {
"creationTimestamp": "2022-07-26T01:45:24Z",
"name": "my-group-admins",
"resourceVersion": "444131094",
"uid": "db7ece86-9507-45f0-aa17-66c49b51fe97"
},
"users": [
"john.doe"
]
}
The --output jsonpath option can be used to print the value of a specific JSON key
~]$ oc get groups my-group-admins --output jsonpath={.users}
["john.doe"]
This one liner can be used to list the Cluster Role Bindings that have been mapped to the group. In this example the Cluster Role Binding named "my-role-admins" is mapped to my-group-admins.
~]$ for crb in `oc get clusterrolebindings | awk '{print $1'}`; do echo $crb; oc describe clusterrolebinding $crb | grep -i my_group; done;
my-role-admins
Group my-group-admins
Then the oc describe clusterrolebinding command can be used to show that Cluster Role Binding my-role-admins has group my-group-admins and role cluster-admin.
~]$ oc describe clusterrolebinding admin
Name: admin
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group my-group-admins
Did you find this article helpful?
If so, consider buying me a coffee over at 