This document details how to give a set of users access to a specific set of namespaces within OpenShift. These namespaces are any that do not include the word openshift
in it. The approach we are going to take is to create a Group
that has admin
access to the namespaces just described. Then we can add whatever user we want to this group.
There are a few basic groups that come pre-created when you install OpenShift. For this, we'll use the local admin
(local means specific to a namespace and not cluster wide). From the docs for admin
: A project manager. If used in a local binding, an admin has rights to view any resource in the project and modify any resource in the project except for quota. Docs
For the following instructions below, we will be assuming that the user jon
exists and wants access to the group named superteam
. This group will have admin
access to all namespaces that does not have the word openshift
in it.
- Create a group with user (replace superteam and jon with your info)
oc adm groups new superteam jon
- Verify
oc get groups
- Add role to group for all desired namespaces (replace superteam with your group name)
for i in $(oc get projects --output custom-columns=PROJECT:.metadata.name --no-headers | grep -v openshift); do oc adm policy add-role-to-group admin superteam -n $i; done
- Verify (replace superteam with your group name)
oc get rolebindings --all-namespaces --output json | jq '.items[] | select(.subjects[].name=="superteam") | .roleRef.name'
After the initial steps above, you will most likely need to do some maintanence work, like updating who is in the group or adding more role bindings to more namespaces.
- Add more user(s) to group (replace superteam and user1 and user2 with your info)
oc adm groups add-users superteam user1
# or can add multiple users at once
# oc adm groups add-users superteam user1 user2
- Remove user(s) from group (replace superteam and user1 and user2 with your info)
oc adm groups remove-users superteam user1
# or can remove mutiple users at once
# oc adm groups remove-users superteam user1 user2
- Add more role bindings to group (replace superteam and new_namespace with your info)
oc adm policy add-role-to-group admin superteam -n new_namespace
- Remove role bindings from group (replace superteam and new_namespace with your info)
oc adm policy remove-role-from-group admin superteam -n new_namespace