OpenShift RBAC - Almax84/consulting-wiki GitHub Wiki

Rule: Allowed actions for objects or groups of objects.
Role: Sets of rules. Users and groups can be associated with multiple roles.
Binding: Assignment of users or groups to a role.

Cluster Role: Users or groups with this role level can manage the OpenShift cluster.
Local Role: Users or groups with this role level can only manage elements at a project level.

Cluster role bindings take precedence over local role bindings.

oc adm policy add-cluster-role-to-user cluster-role username Ex.
oc adm policy add-cluster-role-to-user cluster-admin username

oc adm policy remove-cluster-role-from-user cluster-role username Ex.
oc adm policy remove-cluster-role-from-user cluster-admin username

Check who can do stuff:
oc adm policy who-can delete user

Default Roles
admin Users with this role can manage all project resources, including granting access to other users to access the project.
basic-user Users with this role have read access to the project.
cluster-admin Users with this role have superuser access to the cluster resources. These users can perform any action on the cluster, and have full control of all projects.
cluster-status Users with this role can get cluster status information.
edit Users with this role can create, change, and delete common application resources from the project, such as services and deployments. These users cannot act on management resources such as limit ranges and quotas, and cannot manage access permissions to the project.
self-provisioner Users with this role can create new projects. This is a cluster role, not a project role.
view Users with this role can view project resources, but cannot modify project resources.

Add role to user in projects:
oc policy add-role-to-user role-name username -n project

USER TYPES

Regular users: Interactive users

System Users:
Many system users are created automatically when the infrastructure is defined, mainly for the purpose of enabling the infrastructure to securely interact with the API. System users include a cluster administrator (with access to everything), a per-node user, users for routers and registries, and various others. An anonymous system user is used by default for unauthenticated requests. Examples of system users include: system:admin, system:openshift-registry, and system:node:node1.example.com

Service accounts: These are special system users associated with projects. Some service account users are created automatically when the project is first created. Project administrators can create more for the purpose of defining access to the contents of each project. Service accounts are often used to give extra privileges to pods or deployments. Service accounts are represented with the ServiceAccount object. Examples of service account users include system:serviceaccount:default:deployer and system:serviceaccount:foo:builder.

Get cluster role bindings oc get clusterrolebinding

Example:

oc get clusterrolebinding -o wide | grep -E 'NAME|self-provisioners'

Describe the cluster role binding to see what groups are associated to it
oc describe clusterrolebinding self-provisioners

Remove cluster role binding from group
oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth

Grant project administration privileges to the leader user on the auth-rbac project
oc policy add-role-to-user admin leader -n auth-rbac

Get role binding in a namespace (who can do what)
oc get rolebindings -o wide -n namespace

Restore project creation privileges for all users by recreating the self-provisioners cluster role binding created by the OpenShift installer. You can safely ignore the warning that the group was not found.

[student@workstation ~]$ oc adm policy add-cluster-role-to-group
--rolebinding-name self-provisioners
self-provisioner system:authenticated:oauth