If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

Here is a basic illustration of how a user, group or service account get mapped to permissions.

Roles and Role Bindings can be set at the cluster level (applied to every project) or at the project level (applies to a single project).

• Cluster:
  • Cluster Role Bindings binds a user, group or service account to a Cluster Role
  • Cluster Role contains the list of permission for every project
• Project:
  • ​Role Bindings binds a user, group or service account to a Role
  • Role contains the list of permission in a specific project

The oc describe role and oc describe clusterrole commands can be used to list the permissions of what is allowed with a Role or Cluster Role.

~]$ oc describe role my-role
Name:         my-role
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods       []                 []              [get list watch]

Role Bindings and Security Context Constraint are similar in that they both are access control mechanisms.

• Role Bindings are used to control what an OpenShift Users are allowed to do
• Security Context Constraints are used to control what pods are allowed to do

The oc adm policy command can be used to:

• Add or Remove a Role Binding from a User, Group or Service Account (this article)
• Add or Remove a Security Context Constraint from a User, Group or Service Account

The oc create rolebinding or oc create clusterrolebinding commands can be used to create a custom Role Binding instead of using one of the 8 default Role Bindings.

AVOID TROUBLE

Let's say there is already a basic-user Role Binding. If you don't use the --rolebinding-name option, then a new Role Binding such as basic-user-0 will be created. The --rolebinding-name option is used to append additional Users, Groups, or Service Accounts to the Role Binding if it already exists.

add-role-to-user can be used to add a Role Binding to a user.

~]$ oc adm policy add-role-to-user basic-user john.doe --rolebinding-name basic-user
role.rbac.authorization.k8s.io/basic-user added: "john.doe"

Or to a Service Account.

oc adm policy add-role-to-user basic-user -z my-service-account --rolebinding-name basic-user

add-role-to-group can be used to add a Role Binding to a group.

oc adm policy add-role-to-group basic-user my-group --rolebinding-name basic-user

add-cluster-role-to-user can be used to add a Cluster Role Binding to a user.

~]$ oc adm policy add-cluster-role-to-user basic-user john.doe
clusterrole.rbac.authorization.k8s.io/basic-user added: "john.doe"

Or to a Service Account.

oc adm policy add-cluster-role-to-user basic-user -z my-service-account

add-cluster-role-to-group can be usd to add a Cluster Role Binding to a group.

oc adm policy add-cluster-role-to-group basic-user my-group

To append a user, group, or service account to a cluster role binding that already exists, the --rolebinding-name option must be included.

oc adm policy add-cluster-role-to-user basic-user -z my-service-account --rolebinding-name my-basic-users

remove-role-from-user can be used to remove a Role Binding from a user.

~]$ oc adm policy remove-role-from-user basic-user john.doe
role.rbac.authorization.k8s.io/basic-user removed: "john.doe"

Or from a Service Account.

oc adm policy remove-role-from-user basic-user -z my-service-account

remove-role-from-group can be used to add a Role Binding to a group.

oc adm policy remove-role-from-group basic-user my-group

remove-cluster-role-from-user can be used to remove a Cluster Role Binding from a user.

oc adm policy remove-cluster-role-from-user basic-user john.doe

Or from a Service Account.

oc adm policy remove-cluster-role-from-user basic-user -z my-service-account

remove-cluster-role-from-group can be used to remove a Cluster Role Binding from a group.

oc adm policy remove-cluster-role-from-group basic-user my-group

The oc describe rolebinding and oc describe clusterrolebinding commands can be used to list the Users, Groups and Service Accounts associated with the Role Binding.

~]$ oc describe rolebinding basic-user
Name:         basic-user
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  RoleBinding
  Name:  basic-user
Subjects:
  Kind            Name              Namespace
  ----            ----              ---------
  User            john.doe
  Group           openshift_admins
  ServiceAccount  my-service-account

The oc adm policy who-can command can then be used to determine if the user or group has permission to perform an action on a resource, such as creating, updating, or deleting a config map, deployment, pod, project, secret, et cetera.

~]$ oc adm policy who-can create secret

Namespace: my-project
Verb:      create
Resource:  secrets

Users:  system:admin
Groups: my-admins-group
        Openshift_Admin
        system:cluster-admins