Bootstrap FreeKB - OpenShift - Create Roles
OpenShift - Create Roles

Updated:   |  OpenShift articles

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

Role Bindings are a way to map subjects (user, group, service account) to a Role or Cluster Role, so that the subjects have permission to perform certain actions (e.g. create, delete) on certain resources (e.g. deployments, secrets). In other words, Role Bindings are a way to apply Role Based Access Control (RBAC). Here is an illustration of how subjects (user, group, service account) get mapped to permissions. There are a number of different ways to design this, typically based on your organizations needs.

 

Cluster Role Binding maps a user, group or service account to a Cluster Role which will have policies that allow certain actions (such as create or delete or list) on certain resources (such as deployments, pods)

Role Bindings maps a user, group or service account to a Role or to a Cluster Role which will have policies that allow certain actions (such as create or delete or list) on certain resources (such as deployments, pods) 

Cluster Role is often used by a number of different users, groups and service accounts in various projects, thus a Cluster Role contains the default actions (such as list, get, watch) on certain resources (such as deployments, pods) that users, groups, or service accounts are allowed to do across namespaces.

Role if isolated to a user, group or service account in a specific project, as a way of granting specific actions (such as create and delete and update) on certain resources (such as services and routes).

When creating a role, you will include verbs, which are basically the allowed permissions. The following verbs can be used.

  • create
  • delete
  • deletecollection
  • get
  • list
  • patch
  • update
  • watch

And you will list the resource the role should be applied to. For example, following are some of the more common resources.

  • configmaps
  • namespaces
  • pods
  • projects
  • routes
  • secrets
  • services

 

Create a Role

The oc create role command can be used to create a role that can be used in your currently selected project.

oc create role my-role --verb get --verb list --verb watch --resource pods

 

The --namespace option can be used to create a role is a certain namespace.

oc create role my-role --verb get --verb list --verb watch --resource pods --namespace my-project

 

Or in the OpenShift console, as Administrator, at User Management > Roles > Create Role.

 

Create a Cluster Role

The oc create clusterrole command can be used to create a Cluster Role. Cluster Roles can be associated with a Role Binding or a Cluster Role Binding so that subjects (users, groups, service accounts) have the permissions in the Cluster Role. Whereas a Role is isolated to a single namespace, a Cluster Role can be associated with a Role Binding or a Cluster Role Binding in any namespace.

oc create clusterrole my-cluster-role --verb get --verb list --verb watch --resource pods

 

Or, you can create a cluster role using a template JSON or YAML file. Check out my article FreeKB - OpenShift - Create Cluster Role using a YAML template file.

 

Or in the OpenShift console, in the Administrator view, at User Management > Roles > Create Role.

 

Listing Roles and Cluster Roles

The oc get roles command can be used to list the roles that have been created in your currently selected project.

~]$ oc get roles
NAME                  CREATED AT
my-role               2023-01-05T08:19:22Z

 

Or in the OpenShift console at User Management > Roles.

 

 

The oc get clusterroles command can be used to list the roles that are automatically included with OpenShift and any additional roles that you have created.

~]$ oc get clusterroles
NAME                  CREATED AT
admin                 2021-07-16T17:15:10Z
my-cluster-role       2023-01-05T08:19:22Z
basic-user            2021-07-16T17:15:10Z
cluster-admin         2021-07-16T17:15:10Z
cluster-reader        2021-07-16T17:15:10Z
cluster-status        2021-07-16T17:15:10Z
edit                  2021-07-16T17:15:10Z
self-provisioner      2021-07-16T17:15:10Z
view                  2021-07-16T17:15:10Z

 

Or in the OpenShift console at User Management > Roles.

 

By default, an OpenShift cluster should include the following Cluster Roles.

Cluster RoleDescription
adminAllowed to view and edit/modify all resources except for quota
basic-userno access to projects or resources (i'm not sure why you would ever want to apply this role to a user)
cluster-adminfull control
cluster-statusview basic cluster status information
cluster-readerallowed to view, but cannot edit or modify
editallowed to view and edit certain resources such as deployments/pods/services/routes but not allowed to view or edit resources such as role bindings
self-provisioneruser can create their own projects
viewallowed to view resources, but cannot edit or modify resources

 

Determine if a User, Group or Service Account has permission to perform an action on a resource

Check out my article Determine if a User, Group or Service Account has permission to perform an action on a resource

 

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter 1eb849 in the box below so that we can be sure you are a human.