OpenShift - Create group using the oc adm groups command

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

The oc adm groups new command can be used to create a group. In this example, the group named my-group-admins will be created with no users added as members of the group.

~]$ oc adm groups new my-group-admins created


And here is how you would create a group that has one or more users added as members of the group. You may want to use the oc get users command to ensure the users account exists.

~]$ oc adm groups new my-group-admins created john.doe jane.doe


The oc get group command can then be used to ensure the group exists and to see the group has no users.

~]$ oc get group my-group-admins
NAME                          USERS
my-group-admins               john.doe jane.doe


A group is almost always associated with a Role Binding so it might be a good design to have the groups match the Role Bindings.

Group Name Role
my-group-admins admin
my-group-cluster-admins cluster-admin
my-group-cluster-status cluster-status
my-group-cluster-readers cluster-reader
my-group-editors edit
my-group-self-provisioners self-provisioner
my-group-viewers view


This one liner can be used to list the Cluster Role Bindings that have been mapped to the group. In this example the Cluster Role Binding named "my-role-admins" is mapped to my-group-admins.

~]$ for crb in `oc get clusterrolebindings | awk '{print $1'}`; do echo $crb; oc describe clusterrolebinding $crb | grep -i my_group; done;
  Group  my-group-admins


Then the oc describe clusterrolebinding command can be used to show that Cluster Role Binding my-role-admins has group my-group-admins and role cluster-admin.

~]$ oc describe clusterrolebinding admin
Name:         admin
Labels:       <none>
Annotations:  <none>
  Kind:  ClusterRole
  Name:  admin
  Kind            Name              Namespace
  ----            ----              ---------
  Group           my-group-admins


Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter f513b in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |