Bootstrap FreeKB - OpenShift - List Role Bindings
OpenShift - List Role Bindings
Updated:   |  OpenShift articles

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

Here is a basic illustration of how a user, group or service account get mapped to permissions.

 

Roles and Role Bindings can be set at the cluster level (applied to every project) or at the project level (applies to a single project).

  • Cluster:
    • Cluster Role Bindings binds a user, group or service account to a Cluster Role
    • Cluster Role contains the list of permission for every project
  • Project:
    • Role Bindings binds a user, group or service account to a Role
    • Role contains the list of permission in a specific project

The oc get roles command can be used to list the roles that have been created in your currently selected project.

~]$ oc get roles
NAME                  CREATED AT
my-role               2023-01-05T08:19:22Z

 

The oc get clusterroles command can be used to list the roles that are automatically included with OpenShift and any additional Cluster Roles that have been created.

~]$ oc get clusterroles
NAME                  CREATED AT
admin                 2021-07-16T17:15:10Z
my-cluster-role       2023-01-05T08:19:22Z
basic-user            2021-07-16T17:15:10Z
cluster-admin         2021-07-16T17:15:10Z
cluster-reader        2021-07-16T17:15:10Z
cluster-status        2021-07-16T17:15:10Z
edit                  2021-07-16T17:15:10Z
self-provisioner      2021-07-16T17:15:10Z
view                  2021-07-16T17:15:10Z

 

The oc describe role and oc describe clusterrole commands can be used to display the permissions granted for the cluster role or role.

~]$ oc describe role my-role
Name:         my-role
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods       []                 []              [get list watch]

 

Role Bindings and Security Context Constraint are similar in that they both are access control mechanisms.

  • Role Bindings are used to control what an OpenShift Users are allowed to do
  • Security Context Constraints are used to control what pods are allowed to do

The oc adm policy command can be used to:

The oc get rolebindings and oc get clusterrolebindings commands can be used to:

  • List the Users, Groups, and Service Accounts that have been appended to a Role Binding or Cluster Role Binding
  • List the custom Role Bindings and Cluster Role Bindings that have been created

TIP

The -A or --all-namespaces flag can be used to list the Role Bindings in every namespace.

The -n or --namespace flag can be used to list the Role Bindings in a certain namespace.

In this example, one or more Users, Groups or Service Accounts have been appended to the default basic-user Role Binding.

The Role Bindings that begin with my-role are custom Role Bindings that have been created. Check out my article on using the oc create rolebinding or oc create clusterrolebinding to create a custom Role Binding.

Notice also there is a basic-user-0 Role Binding. When you add the first User, Group or Service Account to one of the system Role Bindings using the oc adm policy command, this will create the Role Binding in the currently selected namespace (basic-user in this example). If you then added a second User, Group or Service Account to the same Role Binding oc adm policy command and you do not use the --rolebinding-name option, this will create another Role Binding with -0 appended (basic-user-0 in this example).

~]$ oc get rolebindings
NAME                         ROLE                            AGE
basic-user                   ClusterRole/basic-user           8d
basic-user-0                 ClusterRole/basic-user           8d
my-role-admins               ClusterRole/admin               10d
my-role-cluster-admins       ClusterRole/cluster-admin       10d
my-role-cluster-status       ClusterRole/cluster-status      10d
my-role-cluster-readers      ClusterRole/cluster-reader      10d
my-role-editors              ClusterRole/edit                10d
my-role-self-provisioners    ClusterRole/self-provisioner    10d
my-role-viewers              ClusterRole/view                10d

 

The oc get clusterrolebindings command can be used to list the Cluster Role Bindings that have been created.

~]$ oc get clusterrolebindings
NAME                         ROLE                            AGE
basic-users                  ClusterRole/basic-user          10d
cluster-admins               ClusterRole/cluster-admin       10d
view                         ClusterRole/view                10d

 

The oc describe rolebinding and oc describe clusterrolebinding commands can be used to list the Users, Groups and Service Accounts associated with the Role Binding.

~]$ oc describe rolebinding my-basic-users
Name:         my-basic-users
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  RoleBinding
  Name:  my-basic-users
Subjects:
  Kind            Name              Namespace
  ----            ----              ---------
  User            john.doe
  Group           openshift_admins
  ServiceAccount  my-service-account

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter c6ba14 in the box below so that we can be sure you are a human.