Skip to content

Instantly share code, notes, and snippets.

@jkeam
Created June 22, 2021 23:01
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save jkeam/7aec2fd95031db7d0cbc9aa5cfb50e67 to your computer and use it in GitHub Desktop.
OpenShift group and role binding.

OpenShift Roles

This document details how to give a set of users access to a specific set of namespaces within OpenShift. These namespaces are any that do not include the word openshift in it. The approach we are going to take is to create a Group that has admin access to the namespaces just described. Then we can add whatever user we want to this group.

There are a few basic groups that come pre-created when you install OpenShift. For this, we'll use the local admin (local means specific to a namespace and not cluster wide). From the docs for admin: A project manager. If used in a local binding, an admin has rights to view any resource in the project and modify any resource in the project except for quota. Docs

For the following instructions below, we will be assuming that the user jon exists and wants access to the group named superteam. This group will have admin access to all namespaces that does not have the word openshift in it.

Steps

  1. Create a group with user (replace superteam and jon with your info)
oc adm groups new superteam jon
  1. Verify
oc get groups
  1. Add role to group for all desired namespaces (replace superteam with your group name)
for i in $(oc get projects --output custom-columns=PROJECT:.metadata.name --no-headers | grep -v openshift); do oc adm policy add-role-to-group admin superteam -n $i; done
  1. Verify (replace superteam with your group name)
oc get rolebindings --all-namespaces --output json | jq '.items[] | select(.subjects[].name=="superteam") | .roleRef.name'

Maintenance/Updating

After the initial steps above, you will most likely need to do some maintanence work, like updating who is in the group or adding more role bindings to more namespaces.

  1. Add more user(s) to group (replace superteam and user1 and user2 with your info)
oc adm groups add-users superteam user1

# or can add multiple users at once
# oc adm groups add-users superteam user1 user2
  1. Remove user(s) from group (replace superteam and user1 and user2 with your info)
oc adm groups remove-users superteam user1

# or can remove mutiple users at once
# oc adm groups remove-users superteam user1 user2
  1. Add more role bindings to group (replace superteam and new_namespace with your info)
oc adm policy add-role-to-group admin superteam -n new_namespace
  1. Remove role bindings from group (replace superteam and new_namespace with your info)
oc adm policy remove-role-from-group admin superteam -n new_namespace
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment