$ oc describe clusterrolebinding.rbac
Azure Red Hat OpenShift 3.11 will be retired 30 June 2022. Support for creation of new Azure Red Hat OpenShift 3.11 clusters continues through 30 November 2020. Following retirement, remaining Azure Red Hat OpenShift 3.11 clusters will be shut down to prevent security vulnerabilities.
Follow this guide to create an Azure Red Hat OpenShift 4 cluster. If you have specific questions, please contact us
You can use the CLI to view RBAC resources and the administrator CLI to manage the roles and bindings.
Customer cluster administrators can view but not manage cluster roles. They can manage cluster role bindings and manage local roles and bindings.
Roles can be used to grant
various levels of access both
cluster-wide
as well as at the
project-scope.
users
and groups can be associated with, or bound to, multiple roles at the same
time. You can view details about the roles and their bindings using the oc
describe
command.
users with the customer-admin-cluster role can view but not manage cluster roles. They can manage cluster role bindings and manage local roles and bindings. users with the admin default cluster role bound locally can manage roles and bindings in that project.
Review a full list of verbs in the Evaluating Authorization section. |
To view the current set of cluster role bindings, which show the users and groups that are bound to various roles:
$ oc describe clusterrolebinding.rbac
All of the default cluster roles can be bound locally to users or groups.
The local role bindings are also viewable.
To view the current set of local role bindings, which show the users and groups that are bound to various roles:
$ oc describe rolebinding.rbac
By default, the current project is used when viewing local role bindings.
Alternatively, a project can be specified with the -n
flag. This is useful for
viewing the local role bindings of another project, if the user already has the
admin
default
cluster role in it.
$ oc describe rolebinding.rbac -n joe-project
Name: admin
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: admin
Subjects:
Kind Name Namespace
---- ---- ---------
user joe
Name: system:deployers
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: system:deployer
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount deployer joe-project
Name: system:image-builders
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: system:image-builder
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount builder joe-project
Name: system:image-pullers
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: system:image-puller
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:serviceaccounts:joe-project
Adding, or binding, a
role to
users
or groups gives the user or group the relevant access granted by the role. You
can add and remove roles to and from users and groups using oc adm policy
commands.
When managing a user or group’s associated roles for local role bindings using the
following operations, a project may be specified with the -n
flag. If it is
not specified, then the current project is used.
Command | Description |
---|---|
|
Indicates which users can perform an action on a resource. |
|
Binds a given role to specified users in the current project. |
|
Removes a given role from specified users in the current project. |
|
Removes specified users and all of their roles in the current project. |
|
Binds a given role to specified groups in the current project. |
|
Removes a given role from specified groups in the current project. |
|
Removes specified groups and all of their roles in the current project. |
|
Can be used with |
For example, you can add the admin role to the alice user in joe-project by running:
$ oc adm policy add-role-to-user admin alice -n joe-project
You can then view the local role bindings and verify the addition in the output:
$ oc describe rolebinding.rbac -n joe-project
Name: admin
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: admin
Subjects:
Kind Name Namespace
---- ---- ---------
user joe
Name: admin-0 (1)
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: admin
Subjects:
Kind Name Namespace
---- ---- ---------
user alice (2)
Name: system:deployers
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: system:deployer
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount deployer joe-project
Name: system:image-builders
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: system:image-builder
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount builder joe-project
Name: system:image-pullers
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: system:image-puller
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:serviceaccounts:joe-project
1 | A new role binding is created with a default name, incremented as necessary. To specify an existing role binding to modify, use the --rolebinding-name option when adding the role to the user. |
2 | The user alice is added. |