This is a cache of https://docs.openshift.com/container-platform/4.8/authentication/impersonating-system-admin.html. It is a snapshot of the page at 2024-11-22T20:10:33.685+0000.
Impersonating the system:admin <strong>user</strong> | Authentication and authorization | OpenShift Container Platform 4.8
×

API impersonation

You can configure a request to the OpenShift Container Platform API to act as though it originated from another user. For more information, see user impersonation in the Kubernetes documentation.

Impersonating the system:admin user

You can grant a user permission to impersonate system:admin, which grants them cluster administrator permissions.

Procedure
  • To grant a user permission to impersonate system:admin, run the following command:

    $ oc create clusterrolebinding <any_valid_name> --clusterrole=sudoer --user=<username>

    You can alternatively apply the following YAML to grant permission to impersonate system:admin:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: <any_valid_name>
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: sudoer
    subjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: user
      name: <username>

Impersonating the system:admin group

When a system:admin user is granted cluster administration permissions through a group, you must include the --as=<user> --as-group=<group1> --as-group=<group2> parameters in the command to impersonate the associated groups.

Procedure
  • To grant a user permission to impersonate a system:admin by impersonating the associated cluster administration groups, run the following command:

    $ oc create clusterrolebinding <any_valid_name> --clusterrole=sudoer --as=<user> \
    --as-group=<group1> --as-group=<group2>