Bootstrap FreeKB - OpenShift - Add or Remove a Role Binding from a User Group or Service Account
OpenShift - Add or Remove a Role Binding from a User Group or Service Account
Updated:   |  OpenShift articles

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

Here is an illustration of how a user, group or service account get mapped to permissions. There are a number of different ways to design this, typically based on your organizations needs.

 

Cluster Role Binding maps a user, group or service account to a Cluster Role which will have policies that allow certain actions (such as create or delete or list) on certain resources (such as deployments, pods)

Role Bindings maps a user, group or service account to a Role or to a Cluster Role which will have policies that allow certain actions (such as create or delete or list) on certain resources (such as deployments, pods) 

Cluster Role is often used by a number of different users, groups and service accounts in various projects, thus a Cluster Role contains the default actions (such as list, get, watch) on certain resources (such as deployments, pods) that users, groups, or service accounts are allowed to do across namespaces.

Role if isolated to a user, group or service account in a specific project, as a way of granting specific actions (such as create and delete and update) on certain resources (such as services and routes).

The oc describe role and oc describe clusterrole commands can be used to list the permissions of what is allowed with a Role or Cluster Role.

~]$ oc describe role my-role
Name:         my-role
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods       []                 []              [get list watch]

 

Role Bindings and Security Context Constraint are similar in that they both are access control mechanisms.

  • Role Bindings are used to allow users, groups and service accounts certain actions (such as create or delete or list) on certain resources (such as deployments, pods)
  • Security Context Constraints are used to control what pods are allowed to do

The oc adm policy command can be used to:

The oc create rolebinding or oc create clusterrolebinding commands can be used to create a custom Role Binding instead of using one of the 8 default Role Bindings.

AVOID TROUBLE

Let's say there is already a basic-user Role Binding. If you don't use the --rolebinding-name option, then a new Role Binding such as basic-user-0 will be created. The --rolebinding-name option is used to append additional Users, Groups, or Service Accounts to the Role Binding if it already exists.

 

add-role-to-user can be used to add a Role Binding to a user.

~]$ oc adm policy add-role-to-user basic-user john.doe --rolebinding-name basic-user
role.rbac.authorization.k8s.io/basic-user added: "john.doe"

 

Or to a Service Account.

oc adm policy add-role-to-user basic-user -z my-service-account --rolebinding-name basic-user

 

add-role-to-group can be used to add a Role Binding to a group.

oc adm policy add-role-to-group basic-user my-group --rolebinding-name basic-user

 

add-cluster-role-to-user can be used to add a Cluster Role Binding to a user.

~]$ oc adm policy add-cluster-role-to-user basic-user john.doe
clusterrole.rbac.authorization.k8s.io/basic-user added: "john.doe"

 

Or to a Service Account.

oc adm policy add-cluster-role-to-user basic-user -z my-service-account

 

add-cluster-role-to-group can be usd to add a Cluster Role Binding to a group.

oc adm policy add-cluster-role-to-group basic-user my-group

 

To append a user, group, or service account to a cluster role binding that already exists, the --rolebinding-name option must be included.

oc adm policy add-cluster-role-to-user basic-user -z my-service-account --rolebinding-name my-basic-users

 

remove-role-from-user can be used to remove a Role Binding from a user.

~]$ oc adm policy remove-role-from-user basic-user john.doe
role.rbac.authorization.k8s.io/basic-user removed: "john.doe"

 

Or from a Service Account.

oc adm policy remove-role-from-user basic-user -z my-service-account

 

remove-role-from-group can be used to add a Role Binding to a group.

oc adm policy remove-role-from-group basic-user my-group

 

remove-cluster-role-from-user can be used to remove a Cluster Role Binding from a user.

oc adm policy remove-cluster-role-from-user basic-user john.doe

 

Or from a Service Account.

oc adm policy remove-cluster-role-from-user basic-user -z my-service-account

 

remove-cluster-role-from-group can be used to remove a Cluster Role Binding from a group.

oc adm policy remove-cluster-role-from-group basic-user my-group

 

The oc describe rolebinding and oc describe clusterrolebinding commands can be used to list the Users, Groups and Service Accounts associated with the Role Binding.

~]$ oc describe rolebinding basic-user
Name:         basic-user
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  RoleBinding
  Name:  basic-user
Subjects:
  Kind            Name              Namespace
  ----            ----              ---------
  User            john.doe
  Group           openshift_admins
  ServiceAccount  my-service-account

 

The oc adm policy who-can command can then be used to determine if the user or group has permission to perform an action on a resource, such as creating, updating, or deleting a config map, deployment, pod, project, secret, et cetera.

~]$ oc adm policy who-can create secret

Namespace: my-project
Verb:      create
Resource:  secrets

Users:  system:admin
Groups: my-admins-group
        Openshift_Admin
        system:cluster-admins

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 55a29f in the box below so that we can be sure you are a human.