If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.
Here is a basic illustration of how a user, group or service account get mapped to permissions.
The oc get groups command can be used to list the groups that have been created, and the members of each group.
~]$ oc get groups
NAME USERS
my-group-admins john.doe
my-group-cluster-admins jane.doe
my-group-cluster-status jack.doe
my-group-cluster-readers james.doe jasper.doe
my-group-editors jackson.doe jordan.doe
my-group-self-provisioners julie.doe jose.doe
my-group-viewers josh.doe jeremy.doe
A group is almost always associated with a Role Binding so it might be a good design to have the groups match the Role Bindings.
| Group Name | Role |
|---|---|
| my-group-admins | admin |
| my-group-cluster-admins | cluster-admin |
| my-group-cluster-status | cluster-status |
| my-group-cluster-readers | cluster-reader |
| my-group-editors | edit |
| my-group-self-provisioners | self-provisioner |
| my-group-viewers | view |
The oc adm groups add-users command can be used to add users to a group.
~]$ oc adm groups add-users my-group-admins jacob.doe
group.user.openshift.io/my-group-admins added: "jacob.doe"
This one liner can be used to list the Cluster Role Bindings that have been mapped to the group. In this example the Cluster Role Binding named "my-role-admins" is mapped to my-group-admins.
~]$ for crb in `oc get clusterrolebindings | awk '{print $1'}`; do echo $crb; oc describe clusterrolebinding $crb | grep -i my_group; done;
my-role-admins
Group my-group-admins
Then the oc describe clusterrolebinding command can be used to show that Cluster Role Binding my-role-admins has group my-group-admins and role cluster-admin.
~]$ oc describe clusterrolebinding admin
Name: admin
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group my-group-admins
Did you find this article helpful?
If so, consider buying me a coffee over at 