If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

Here is an illustration of how a user, group or service account get mapped to permissions. There are a number of different ways to design this, typically based on your organizations needs.

Cluster Role Binding maps a user, group or service account to a Cluster Role which will have policies that allow certain actions (such as create or delete or list) on certain resources (such as deployments, pods)

​Role Bindings maps a user, group or service account to a Role or to a Cluster Role which will have policies that allow certain actions (such as create or delete or list) on certain resources (such as deployments, pods) 

Cluster Role is often used by a number of different users, groups and service accounts in various projects, thus a Cluster Role contains the default actions (such as list, get, watch) on certain resources (such as deployments, pods) that users, groups, or service accounts are allowed to do across namespaces.

Role if isolated to a user, group or service account in a specific project, as a way of granting specific actions (such as create and delete and update) on certain resources (such as services and routes).

When creating a role, you will include verbs, which are basically the allowed permissions. The following verbs can be used.

• create
• delete
• deletecollection
• get
• list
• patch
• update
• watch

And you will list the resource the role should be applied to. For example, following are some of the more common resources.

• configmaps
• namespaces
• pods
• projects
• routes
• secrets
• services

A JSON or YAML file that contains key value pairs used to create an object, such as a config map, deployment, a project, a pod, a route, a secret, a service, et cetera. These files are known as templates. The oc explain command can be used to get the list of keys that can be used in the JSON or YAML template file.

oc explain clusterrole

And then more details on each key can be displayed.

oc explain clusterrole.rules

For example, let's say you have a YAML file named ldap-group-sync.yml that contains the following markup. In this example, a cluster role named "ldap-group-sync" will be created.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ldap-group-sync

rules:
- apiGroups:
  - user.openshift.io
  resources:
  - groups
  verbs:
  - create
  - update
  - patch
  - delete
  - get
  - list

The oc apply or oc create command with the -f or --filename option can be used to create the cluster role using the template JSON or YAML file.

The oc replace command can be used to replace a cluster role using a new or updated template JSON or YAML file.

The oc edit command can be used to update a cluster role template YAML file.

~]$ oc apply --filename ldap-group-sync.yml
rbac.authorization.k8s.io/ldap-group-sync created

Or, the oc create role command can be used to create a role that can be used in your currently selected project.

~]# oc create role my-role --verb get --verb list --verb watch --resource pods
role.rbac.authorization.k8s.io/my-role created

Or, the oc create clusterrole command can be used to create a role that can be used in any project.

~]$ oc create clusterrole my-cluster-role --verb get --verb list --verb watch --resource pods
clusterrole.rbac.authorization.k8s.io/my-cluster-role created

The oc get clusterroles command can then be used to ensure the cluster role exists.

~]$ oc get clusterrole ldap-group-sync
NAME              CREATED AT
ldap-group-sync   2023-08-17T02:41:04Z