$ oc login <your_instance_url>
As an administrator of an OpenShift Dedicated cluster, your account has additional
permissions and access to all user-created projects in your organization’s
cluster. While logged in to an account with this role, the basic
developer cli (the oc
command) allows you increased visibility and management capabilities over
objects across projects.
While your account does have these increased permissions, the actual cluster maintenance and host configuration is still performed by the OpenShift Operations Team. If you would like to request a change to your cluster that you cannot perform using the administrator cli, open a support case on the Red Hat Customer Portal. |
The oc
cli used for both normal developer operations and administrator
operations is available for download from the Command Line Tools page in the
web console. See
Get
Started with the cli for more detailed installation steps.
You can log in as an OpenShift Dedicated cluster administration via the web console or cli, just as you would if you were an application developer.
When you log in to the web console, all user-created projects across the cluster are visible from the main Projects page.
Use the standard oc login
command to log in with the cli:
$ oc login <your_instance_url>
All projects are visible using:
$ oc get projects
When your account has the dedicated-cluster-admin cluster role bound to it, you are automatically bound to the dedicated-project-admin for any new projects that are created by users in the cluster.
To verify if your account has administrator privileges, run the following command against a user-created project to view its default role bindings. If you are a cluster administrator, you will see your account listed under subjects for the dedicated-project-admin role binding for the project:
$ oc describe rolebinding.rbac -n <project_name> Name: admin Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: admin Subjects: Kind Name Namespace ---- ---- --------- User fred@example.com (1) Name: dedicated-project-admin Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: dedicated-project-admin Subjects: Kind Name Namespace ---- ---- --------- User alice@example.com (2) User bob@example.com (2) ...
1 | The fred@example.com user is a normal, project-scoped administrator for this project. |
2 | The alice@example.com and bob@example.com users are cluster administrators. |
To view details on your increased permissions, and the sets of verbs and resources associated with the dedicated-cluster-admin and dedicated-project-admin roles, run the following:
$ oc describe clusterrole.rbac dedicated-cluster-admin $ oc describe clusterrole.rbac dedicated-project-admin
Administrator roles are managed using a dedicated-admins
group on the cluster.
Existing members of this group can edit membership. To view a list of current
dedicated administrators by user name, you can use the following command:
$ oc describe group dedicated-admins
To add a new member to the dedicated-admins
group:
$ oc adm groups add-users dedicated-admins <user_name>
To remove an existing user from the dedicated-admins
group:
$ oc adm groups remove-users dedicated-admins <user_name>
If this group is currently empty or if you need assistance editing group membership, open a support case on the Red Hat Customer Portal.
Users with a dedicated-reader role are granted edit and view access to the dedicated-reader project and view-only access to the other projects.
To view a list of current dedicated readers by user name, you can use the following command:
$ oc describe group dedicated-readers
To add a new member to the dedicated-readers
group, if you have
dedicated-admin
access:
$ oc adm groups add-users dedicated-readers <user_name>
To remove an existing user from the dedicated-readers
group, if you have
dedicated-admin
access:
$ oc adm groups remove-users dedicated-readers <user_name>
To grant permissions to other users or groups, you can add, or bind, a role to them using the following commands:
$ oc adm policy add-role-to-user <role> <user_name> $ oc adm policy add-role-to-group <role> <group_name>
See Managing RBAC for more details on these and related authorization tasks.
You can create a service account to be able to run applications like Jenkins that make calls back to OpenShift Dedicated.
See the Developer Guide for basic service account management tasks, which as a cluster administrator you can perform in any user-created project, and see Configuring Service Accounts for more advanced, cluster-wide settings.
OpenShift Dedicated provides a cluster administrator console tailored toward application development and cluster administrator personas.
Users have a choice of experience based on their role or technical abilities, including:
An administrator with Containers as a Service (CaaS) experience and with heavy exposure to Kubernetes.
An application developer with Platform as a Service (PaaS) experience and standard OpenShift Dedicated UX.
Sessions are not shared across the consoles, but credentials are.
dedicated-admins
have the additional capability of accessing the Prometheus, Grafana, and Alertmanager
dashboards. The Prometheus dashboard can be used to query cluster-wide
metrics. The Grafana dashboard provides predefined graphs of many Prometheus
metrics. The Alertmanager dashboard tracks alerting
of predefined rules
across the cluster.
While |
As an administrator, you are able to view, create, and modify quotas and limit ranges on other projects. This allows you to better constrain how compute resources and objects are consumed by users across the cluster.
Defaults can be set for quotas and limit ranges for new projects at creation. To request such a change, open a support case on the Red Hat Customer Portal.
Further explore the Cluster Administration guide for more reference information on what’s possible with your role and what other cluster settings can be configured for you by the OpenShift Operations Team.