If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.
Here is an illustration of how a user, group or service account get mapped to permissions. There are a number of different ways to design this, typically based on your organizations needs.
Cluster Role Binding maps a user, group or service account to a Cluster Role which will have policies that allow certain actions (such as create or delete or list) on certain resources (such as deployments, pods)
Role Bindings maps a user, group or service account to a Role or to a Cluster Role which will have policies that allow certain actions (such as create or delete or list) on certain resources (such as deployments, pods)
Cluster Role is often used by a number of different users, groups and service accounts in various projects, thus a Cluster Role contains the default actions (such as list, get, watch) on certain resources (such as deployments, pods) that users, groups, or service accounts are allowed to do across namespaces.
Role if isolated to a user, group or service account in a specific project, as a way of granting specific actions (such as create and delete and update) on certain resources (such as services and routes).
The oc describe role and oc describe clusterrole commands can be used to list the permissions of what is allowed with a Role or Cluster Role.
~]$ oc describe role my-role
Name: my-role
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get list watch]
Role Bindings and Security Context Constraint are similar in that they both are access control mechanisms.
- Role Bindings are used to allow users, groups and service accounts certain actions (such as create or delete or list) on certain resources (such as deployments, pods)
- Security Context Constraints are used to control what pods are allowed to do
The oc adm policy command can be used to:
- Add or Remove a Role Binding from a User, Group or Service Account (this article)
- Add or Remove a Security Context Constraint from a User, Group or Service Account
The oc create rolebinding or oc create clusterrolebinding commands can be used to create a custom Role Binding instead of using one of the 8 default Role Bindings.
AVOID TROUBLE
Let's say there is already a basic-user Role Binding. If you don't use the --rolebinding-name option, then a new Role Binding such as basic-user-0 will be created. The --rolebinding-name option is used to append additional Users, Groups, or Service Accounts to the Role Binding if it already exists.
Here is how you can create a Role Binding that gives user john.doe the cluster-admin role.
oc create clusterrolebinding my-cluster-role-binding --clusterrole cluster-admin --user john.doe
Or to a Group.
oc create clusterrolebinding my-cluster-role-binding --clusterrole cluster-admin --group my-group
Or to a Service Account where my-service-account is in namespace my-project.
oc create clusterrolebinding my-cluster-role-binding --clusterrole cluster-admin --serviceaccount my-project:my-service-account
add-role-to-user can be used to add a Role Binding to a user.
~]$ oc adm policy add-role-to-user basic-user john.doe --rolebinding-name basic-user
role.rbac.authorization.k8s.io/basic-user added: "john.doe"
Or to a Service Account.
oc adm policy add-role-to-user basic-user -z my-service-account --rolebinding-name basic-user
add-role-to-group can be used to add a Role Binding to a group.
oc adm policy add-role-to-group basic-user my-group --rolebinding-name basic-user
add-cluster-role-to-user can be used to add a Cluster Role Binding to a user.
~]$ oc adm policy add-cluster-role-to-user basic-user john.doe
clusterrole.rbac.authorization.k8s.io/basic-user added: "john.doe"
Or to a Service Account.
oc adm policy add-cluster-role-to-user basic-user -z my-service-account
add-cluster-role-to-group can be usd to add a Cluster Role Binding to a group.
oc adm policy add-cluster-role-to-group basic-user my-group
To append a user, group, or service account to a cluster role binding that already exists, the --rolebinding-name option must be included.
oc adm policy add-cluster-role-to-user basic-user -z my-service-account --rolebinding-name my-basic-users
remove-role-from-user can be used to remove a Role Binding from a user.
~]$ oc adm policy remove-role-from-user basic-user john.doe
role.rbac.authorization.k8s.io/basic-user removed: "john.doe"
Or from a Service Account.
oc adm policy remove-role-from-user basic-user -z my-service-account
remove-role-from-group can be used to add a Role Binding to a group.
oc adm policy remove-role-from-group basic-user my-group
remove-cluster-role-from-user can be used to remove a Cluster Role Binding from a user.
oc adm policy remove-cluster-role-from-user basic-user john.doe
Or from a Service Account.
oc adm policy remove-cluster-role-from-user basic-user -z my-service-account
remove-cluster-role-from-group can be used to remove a Cluster Role Binding from a group.
oc adm policy remove-cluster-role-from-group basic-user my-group
The oc describe rolebinding and oc describe clusterrolebinding commands can be used to list the Users, Groups and Service Accounts associated with the Role Binding.
~]$ oc describe rolebinding basic-user
Name: basic-user
Labels: <none>
Annotations: <none>
Role:
Kind: RoleBinding
Name: basic-user
Subjects:
Kind Name Namespace
---- ---- ---------
User john.doe
Group openshift_admins
ServiceAccount my-service-account
The oc adm policy who-can command can then be used to determine if the user or group has permission to perform an action on a resource, such as creating, updating, or deleting a config map, deployment, pod, project, secret, et cetera.
~]$ oc adm policy who-can create secret
Namespace: my-project
Verb: create
Resource: secrets
Users: system:admin
Groups: my-admins-group
Openshift_Admin
system:cluster-admins
Did you find this article helpful?
If so, consider buying me a coffee over at 