Managing Role-based Access Control (RBAC)

    You are viewing documentation for a release that is no longer supported. The latest supported version of version 3 is [3.11]. For the most recent version 4, see

    You can use the CLI to view and the administrator CLI to manage the roles and bindings.

    Viewing roles and bindings

    Roles can be used to grant various levels of access both as well as at the project-scope. can be associated with, or bound to, multiple roles at the same time. You can view details about the roles and their bindings using the command.

    Users with the cluster-admin default cluster role bound cluster-wide can perform any action on any resource. Users with the bound locally can manage roles and bindings in that project.

    To view the cluster roles and their associated rule sets:

    To view the current set of cluster role bindings, which show the users and groups that are bound to various roles:

    1. $ oc describe clusterrolebinding.rbac
    2. Name:        admin
    3. Labels:        <none>
    4. Annotations:    rbac.authorization.kubernetes.io/autoupdate=true
    5. Role:
    6.   Kind:    ClusterRole
    7.   Name:    admin
    8. Subjects:
    9.   Kind            Name                Namespace
    10.   ----            ----                ---------
    11.   ServiceAccount    template-instance-controller    openshift-infra
    14. Name:        basic-users
    15. Labels:        <none>
    16. Annotations:    rbac.authorization.kubernetes.io/autoupdate=true
    17. Role:
    18.   Kind:    ClusterRole
    19.   Name:    basic-user
    20. Subjects:
    21.   Kind    Name            Namespace
    22.   ----    ----            ---------
    23.   Group    system:authenticated
    26. Name:        cluster-admin
    27. Labels:        kubernetes.io/bootstrapping=rbac-defaults
    28. Annotations:    rbac.authorization.kubernetes.io/autoupdate=true
    29. Role:
    30.   Kind:    ClusterRole
    31.   Name:    cluster-admin
    32. Subjects:
    33.   Kind            Name        Namespace
    34.   ----            ----        ---------
    35.   ServiceAccount    pvinstaller    default
    36.   Group            system:masters
    39. Name:        cluster-admins
    40. Labels:        <none>
    41. Annotations:    rbac.authorization.kubernetes.io/autoupdate=true
    42. Role:
    43.   Kind:    ClusterRole
    44.   Name:    cluster-admin
    45. Subjects:
    46.   Kind    Name            Namespace
    47.   ----    ----            ---------
    48.   Group    system:cluster-admins
    49.   User    system:admin
    52. Name:        cluster-readers
    53. Labels:        <none>
    54. Annotations:    rbac.authorization.kubernetes.io/autoupdate=true
    55. Role:
    56.   Kind:    ClusterRole
    57.   Name:    cluster-reader
    58. Subjects:
    59.   Kind    Name            Namespace
    60.   ----    ----            ---------
    61.   Group    system:cluster-readers
    64. Name:        cluster-status-binding
    65. Labels:        <none>
    66. Annotations:    rbac.authorization.kubernetes.io/autoupdate=true
    67. Role:
    68.   Kind:    ClusterRole
    69.   Name:    cluster-status
    70. Subjects:
    71.   Kind    Name            Namespace
    72.   ----    ----            ---------
    73.   Group    system:authenticated
    74.   Group    system:unauthenticated
    77. Name:        registry-registry-role
    78. Labels:        <none>
    79. Annotations:    <none>
    80. Role:
    81.   Kind:    ClusterRole
    82.   Name:    system:registry
    83. Subjects:
    84.   ----            ----        ---------
    85.   ServiceAccount    registry    default
    88. Name:        router-router-role
    89. Labels:        <none>
    90. Annotations:    <none>
    91. Role:
    92.   Kind:    ClusterRole
    93.   Name:    system:router
    94. Subjects:
    95.   Kind            Name    Namespace
    96.   ----            ----    ---------
    100. Name:        self-access-reviewers
    101. Labels:        <none>
    102. Annotations:    rbac.authorization.kubernetes.io/autoupdate=true
    103. Role:
    104.   Kind:    ClusterRole
    105.   Name:    self-access-reviewer
    106. Subjects:
    107.   Kind    Name            Namespace
    108.   ----    ----            ---------
    109.   Group    system:authenticated
    110.   Group    system:unauthenticated
    113. Name:        self-provisioners
    114. Labels:        <none>
    115. Annotations:    rbac.authorization.kubernetes.io/autoupdate=true
    116. Role:
    117.   Kind:    ClusterRole
    118.   Name:    self-provisioner
    119. Subjects:
    120.   Kind    Name                Namespace
    121.   ----    ----                ---------
    122.   Group    system:authenticated:oauth
    125. Name:        system:basic-user
    126. Labels:        kubernetes.io/bootstrapping=rbac-defaults
    127. Annotations:    rbac.authorization.kubernetes.io/autoupdate=true
    128. Role:
    129.   Kind:    ClusterRole
    130.   Name:    system:basic-user
    131. Subjects:
    132.   Kind    Name            Namespace
    133.   ----    ----            ---------
    134.   Group    system:authenticated
    135.   Group    system:unauthenticated
    138. Name:        system:build-strategy-docker-binding
    139. Labels:        <none>
    140. Annotations:    rbac.authorization.kubernetes.io/autoupdate=true
    141. Role:
    142.   Kind:    ClusterRole
    143.   Name:    system:build-strategy-docker
    144. Subjects:
    145.   Kind    Name            Namespace
    146.   ----    ----            ---------
    147.   Group    system:authenticated
    150. Name:        system:build-strategy-jenkinspipeline-binding
    151. Labels:        <none>
    152. Annotations:    rbac.authorization.kubernetes.io/autoupdate=true
    153. Role:
    154.   Kind:    ClusterRole
    155.   Name:    system:build-strategy-jenkinspipeline
    156. Subjects:
    157.   Kind    Name            Namespace
    158.   ----    ----            ---------
    159.   Group    system:authenticated
    162. Name:        system:build-strategy-source-binding
    163. Labels:        <none>
    164. Annotations:    rbac.authorization.kubernetes.io/autoupdate=true
    165. Role:
    166.   Kind:    ClusterRole
    167.   Name:    system:build-strategy-source
    168. Subjects:
    169.   Kind    Name            Namespace
    170.   ----    ----            ---------
    171.   Group    system:authenticated
    174. Name:        system:controller:attachdetach-controller
    175. Labels:        kubernetes.io/bootstrapping=rbac-defaults
    176. Annotations:    rbac.authorization.kubernetes.io/autoupdate=true
    177.   Kind:    ClusterRole
    178.   Name:    system:controller:attachdetach-controller
    179. Subjects:
    180.   Kind            Name            Namespace
    181.   ----            ----            ---------
    182.   ServiceAccount    attachdetach-controller    kube-system
    185. Name:        system:controller:certificate-controller
    186. Labels:        kubernetes.io/bootstrapping=rbac-defaults
    187. Annotations:    rbac.authorization.kubernetes.io/autoupdate=true
    188. Role:
    189.   Kind:    ClusterRole
    190.   Name:    system:controller:certificate-controller
    191. Subjects:
    192.   Kind            Name            Namespace
    193.   ----            ----            ---------
    197. Name:        system:controller:cronjob-controller
    198. Labels:        kubernetes.io/bootstrapping=rbac-defaults
    199. Annotations:    rbac.authorization.kubernetes.io/autoupdate=true
    201. ...

    All of the default cluster roles can be bound locally to users or groups.

    can be created.

    The local role bindings are also viewable.

    To view the current set of local role bindings, which show the users and groups that are bound to various roles:

    1. $ oc describe rolebinding.rbac

    By default, the current project is used when viewing local role bindings. Alternatively, a project can be specified with the -n flag. This is useful for viewing the local role bindings of another project, if the user already has the admin default cluster role in it.

    1. $ oc describe rolebinding.rbac -n joe-project
    2. Name:        admin
    3. Labels:        <none>
    4. Annotations:    <none>
    5. Role:
    6.   Kind:    ClusterRole
    7.   Name:    admin
    8. Subjects:
    9.   Kind    Name    Namespace
    10.   ----    ----    ---------
    11.   User    joe
    14. Name:        system:deployers
    15. Labels:        <none>
    16. Annotations:    <none>
    17. Role:
    18.   Kind:    ClusterRole
    19.   Name:    system:deployer
    20. Subjects:
    21.   Kind            Name        Namespace
    22.   ----            ----        ---------
    23.   ServiceAccount    deployer    joe-project
    26. Name:        system:image-builders
    27. Labels:        <none>
    28. Annotations:    <none>
    29. Role:
    30.   Kind:    ClusterRole
    31.   Name:    system:image-builder
    32. Subjects:
    33.   Kind            Name    Namespace
    34.   ----            ----    ---------
    35.   ServiceAccount    builder    joe-project
    38. Name:        system:image-pullers
    39. Labels:        <none>
    40. Annotations:    <none>
    41. Role:
    42.   Kind:    ClusterRole
    43.   Name:    system:image-puller
    44. Subjects:
    45.   Kind    Name                    Namespace
    46.   ----    ----                    ---------
    47.   Group    system:serviceaccounts:joe-project

    Adding, or binding, a to users or groups gives the user or group the relevant access granted by the role. You can add and remove roles to and from users and groups using oc adm policy commands.

    When managing a user or group’s associated roles for local role bindings using the following operations, a project may be specified with the -n flag. If it is not specified, then the current project is used.

    Table 1. Local role binding operations
    CommandDescription

    $ oc adm policy who-can <verb> <resource>

    Indicates which users can perform an action on a resource.

    $ oc adm policy add-role-to-user <role> <username>

    Binds a given role to specified users in the current project.

    $ oc adm policy remove-role-from-user <role> <username>

    Removes a given role from specified users in the current project.

    $ oc adm policy remove-user <username>

    $ oc adm policy add-role-to-group <role> <groupname>

    Binds a given role to specified groups in the current project.

    $ oc adm policy remove-role-from-group <role> <groupname>

    Removes a given role from specified groups in the current project.

    $ oc adm policy remove-group <groupname>

    Removes specified groups and all of their roles in the current project.

    —rolebinding-name=

    Can be used with oc adm policy commands to retain the rolebinding name assigned to a user or group.

    You can also manage cluster role bindings using the following operations. The -n flag is not used for these operations because cluster role bindings use non-namespaced resources.

    For example, you can add the admin role to the alice user in joe-project by running:

    1. $ oc adm policy add-role-to-user admin alice -n joe-project

    You can then view the local role bindings and verify the addition in the output:

    1The alice user has been added to the admins RoleBinding.

    Creating a local role

    1. To create a local role for a project, run the following command:

      1. $ oc create role <name> --verb=<verb> --resource=<resource> -n <project>

      In this command, specify: * <name>, the local role’s name * <verb>, a comma-separated list of the verbs to apply to the role * <resource>, the resources that the role applies to * <project>, the project name

      + For example, to create a local role that allows a user to view pods in the blue project, run the following command:

      +

      1. $ oc create role podview --verb=get --resource=pod -n blue

    2. To bind the new role to a user, run the following command:

    1. $ oc adm policy add-role-to-user podview user2 --role-namespace=blue -n blue

    To create a cluster role, run the following command:

    1. $ oc create clusterrole <name> --verb=<verb> --resource=<resource>

    In this command, specify:

    • <name>, the local role’s name

    • <verb>, a comma-separated list of the verbs to apply to the role

    • <resource>, the resources that the role applies to

    For example, to create a cluster role that allows a user to view pods, run the following command:

    Cluster and local role bindings

    A cluster role binding is a binding that exists at the cluster level. A role binding exists at the project level. The cluster role view must be bound to a user using a local role binding for that user to view the project. Create local roles only if a cluster role does not provide the set of permissions needed for a particular situation.

    Some cluster role names are initially confusing. You can bind the cluster-admin to a user, using a local role binding, making it appear that this user has the privileges of a cluster administrator. This is not the case. Binding the cluster-admin to a certain project is more like a super administrator for that project, granting the permissions of the cluster role admin, plus a few additional permissions like the ability to edit rate limits. This can appear confusing especially via the web console UI, which does not list cluster role bindings that are bound to true cluster administrators. However, it does list local role bindings that you can use to locally bind cluster-admin.

    During a cluster upgrade, and on every restart of any master, the are automatically reconciled to restore any missing permissions.

    If you customized default cluster roles and want to ensure a role reconciliation does not modify them:

    1. Protect each role from reconciliation:

      1. $ oc annotate clusterrole.rbac <role_name> --overwrite rbac.authorization.kubernetes.io/autoupdate=false

    2. Generate a default bootstrap policy template file:

      1. $ oc adm create-bootstrap-policy-file --filename=policy.json

      The contents of the file vary based on the OKD version, but the file contains only the default policies.

    3. Update the policy.json file to include any cluster role customizations.

    4. Use the policy file to automatically reconcile roles and role bindings that are not reconcile protected:

      1. $ oc auth reconcile -f policy.json
      1. # oc adm policy reconcile-sccs \
      2.     --additive-only=true \