Bootstrap FreeKB - OpenShift - Add or Remove a Role Binding from a User Group or Service Account
OpenShift - Add or Remove a Role Binding from a User Group or Service Account

Updated:   |  OpenShift articles

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

Here is a basic illustration of how a user, group or service account get mapped to permissions.

 

Roles and Role Bindings can be set at the cluster level (applied to every project) or at the project level (applies to a single project).

  • Cluster:
    • Cluster Role Bindings binds a user, group or service account to a Cluster Role
    • Cluster Role contains the list of permission for every project
  • Project:
    • ‚ÄčRole Bindings binds a user, group or service account to a Role
    • Role contains the list of permission in a specific project

The oc describe role and oc describe clusterrole commands can be used to list the permissions of what is allowed with a Role or Cluster Role.

~]$ oc describe role my-role
Name:         my-role
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods       []                 []              [get list watch]

 

Role Bindings and Security Context Constraint are similar in that they both are access control mechanisms.

  • Role Bindings are used to control what an OpenShift Users are allowed to do
  • Security Context Constraints are used to control what pods are allowed to do

The oc adm policy command can be used to:

The oc create rolebinding or oc create clusterrolebinding commands can be used to create a custom Role Binding instead of using one of the 8 default Role Bindings.

AVOID TROUBLE

Let's say there is already a basic-user Role Binding. If you don't use the --rolebinding-name option, then a new Role Binding such as basic-user-0 will be created. The --rolebinding-name option is used to append additional Users, Groups, or Service Accounts to the Role Binding if it already exists.

 


add-role-to-user can be used to add a Role Binding to a user.

~]$ oc adm policy add-role-to-user basic-user john.doe --rolebinding-name basic-user
role.rbac.authorization.k8s.io/basic-user added: "john.doe"

 

Or to a Service Account.

oc adm policy add-role-to-user basic-user -z my-service-account --rolebinding-name basic-user

 

add-role-to-group can be used to add a Role Binding to a group.

oc adm policy add-role-to-group basic-user my-group --rolebinding-name basic-user

 


add-cluster-role-to-user can be used to add a Cluster Role Binding to a user.

~]$ oc adm policy add-cluster-role-to-user basic-user john.doe
clusterrole.rbac.authorization.k8s.io/basic-user added: "john.doe"

 

Or to a Service Account.

oc adm policy add-cluster-role-to-user basic-user -z my-service-account

 

add-cluster-role-to-group can be usd to add a Cluster Role Binding to a group.

oc adm policy add-cluster-role-to-group basic-user my-group

 

To append a user, group, or service account to a cluster role binding that already exists, the --rolebinding-name option must be included.

oc adm policy add-cluster-role-to-user basic-user -z my-service-account --rolebinding-name my-basic-users

 


remove-role-from-user can be used to remove a Role Binding from a user.

~]$ oc adm policy remove-role-from-user basic-user john.doe
role.rbac.authorization.k8s.io/basic-user removed: "john.doe"

 

Or from a Service Account.

oc adm policy remove-role-from-user basic-user -z my-service-account

 

remove-role-from-group can be used to add a Role Binding to a group.

oc adm policy remove-role-from-group basic-user my-group

 


remove-cluster-role-from-user can be used to remove a Cluster Role Binding from a user.

oc adm policy remove-cluster-role-from-user basic-user john.doe

 

Or from a Service Account.

oc adm policy remove-cluster-role-from-user basic-user -z my-service-account

 

remove-cluster-role-from-group can be used to remove a Cluster Role Binding from a group.

oc adm policy remove-cluster-role-from-group basic-user my-group

 

The oc describe rolebinding and oc describe clusterrolebinding commands can be used to list the Users, Groups and Service Accounts associated with the Role Binding.

~]$ oc describe rolebinding basic-user
Name:         basic-user
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  RoleBinding
  Name:  basic-user
Subjects:
  Kind            Name              Namespace
  ----            ----              ---------
  User            john.doe
  Group           openshift_admins
  ServiceAccount  my-service-account

 

The oc adm policy who-can command can then be used to determine if the user or group has permission to perform an action on a resource, such as creating, updating, or deleting a config map, deployment, pod, project, secret, et cetera.

~]$ oc adm policy who-can create secret

Namespace: my-project
Verb:      create
Resource:  secrets

Users:  system:admin
Groups: my-admins-group
        Openshift_Admin
        system:cluster-admins

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter 6b16a6 in the box below so that we can be sure you are a human.