
If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.
Here is a basic illustration of how a user, group or service account get mapped to permissions.
Roles and Role Bindings can be set at the cluster level (applied to every project) or at the project level (applies to a single project).
- Cluster:
- Cluster Role Bindings binds a user, group or service account to a Cluster Role
- Cluster Role contains the list of permission for every project
- Project:
- Role Bindings binds a user, group or service account to a Role
- Role contains the list of permission in a specific project
The oc describe role and oc describe clusterrole commands can be used to list the permissions of what is allowed with a Role or Cluster Role.
~]$ oc describe role my-role
Name: my-role
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get list watch]
Role Bindings and Security Context Constraint are similar in that they both are access control mechanisms.
- Role Bindings are used to control what an OpenShift Users are allowed to do
- Security Context Constraints are used to control what pods are allowed to do
The oc adm policy command can be used to:
- Add or Remove a Role Binding from a User, Group or Service Account (this article)
- Add or Remove a Security Context Constraint from a User, Group or Service Account
The oc create rolebinding or oc create clusterrolebinding commands can be used to create a custom Role Binding instead of using one of the 8 default Role Bindings.
AVOID TROUBLE
Let's say there is already a basic-user Role Binding. If you don't use the --rolebinding-name option, then a new Role Binding such as basic-user-0 will be created. The --rolebinding-name option is used to append additional Users, Groups, or Service Accounts to the Role Binding if it already exists.
add-role-to-user can be used to add a Role Binding to a user.
~]$ oc adm policy add-role-to-user basic-user john.doe --rolebinding-name basic-user
role.rbac.authorization.k8s.io/basic-user added: "john.doe"
Or to a Service Account.
oc adm policy add-role-to-user basic-user -z my-service-account --rolebinding-name basic-user
add-role-to-group can be used to add a Role Binding to a group.
oc adm policy add-role-to-group basic-user my-group --rolebinding-name basic-user
add-cluster-role-to-user can be used to add a Cluster Role Binding to a user.
~]$ oc adm policy add-cluster-role-to-user basic-user john.doe
clusterrole.rbac.authorization.k8s.io/basic-user added: "john.doe"
Or to a Service Account.
oc adm policy add-cluster-role-to-user basic-user -z my-service-account
add-cluster-role-to-group can be usd to add a Cluster Role Binding to a group.
oc adm policy add-cluster-role-to-group basic-user my-group
To append a user, group, or service account to a cluster role binding that already exists, the --rolebinding-name option must be included.
oc adm policy add-cluster-role-to-user basic-user -z my-service-account --rolebinding-name my-basic-users
remove-role-from-user can be used to remove a Role Binding from a user.
~]$ oc adm policy remove-role-from-user basic-user john.doe
role.rbac.authorization.k8s.io/basic-user removed: "john.doe"
Or from a Service Account.
oc adm policy remove-role-from-user basic-user -z my-service-account
remove-role-from-group can be used to add a Role Binding to a group.
oc adm policy remove-role-from-group basic-user my-group
remove-cluster-role-from-user can be used to remove a Cluster Role Binding from a user.
oc adm policy remove-cluster-role-from-user basic-user john.doe
Or from a Service Account.
oc adm policy remove-cluster-role-from-user basic-user -z my-service-account
remove-cluster-role-from-group can be used to remove a Cluster Role Binding from a group.
oc adm policy remove-cluster-role-from-group basic-user my-group
The oc describe rolebinding and oc describe clusterrolebinding commands can be used to list the Users, Groups and Service Accounts associated with the Role Binding.
~]$ oc describe rolebinding basic-user
Name: basic-user
Labels: <none>
Annotations: <none>
Role:
Kind: RoleBinding
Name: basic-user
Subjects:
Kind Name Namespace
---- ---- ---------
User john.doe
Group openshift_admins
ServiceAccount my-service-account
The oc adm policy who-can command can then be used to determine if the user or group has permission to perform an action on a resource, such as creating, updating, or deleting a config map, deployment, pod, project, secret, et cetera.
~]$ oc adm policy who-can create secret
Namespace: my-project
Verb: create
Resource: secrets
Users: system:admin
Groups: my-admins-group
Openshift_Admin
system:cluster-admins
Did you find this article helpful?
If so, consider buying me a coffee over at