You can use the CLI to view RBAC resources and the administrator CLI to manage the roles and bindings.
Roles can be used to grant
various levels of access both
cluster-wide
as well as at the
project-scope.
Users
and groups can be associated with, or bound to, multiple roles at the same
time. You can view details about the roles and their bindings using the oc
describe command.
|
Note
|
Review a full list of verbs in the Evaluating Authorization section. |
To view the current set of cluster role bindings, which show the users and groups that are bound to various roles:
$ oc describe clusterrolebinding.rbac
All of the default cluster roles can be bound locally to users or groups. Custom local roles can be created. The local role bindings are also viewable.
To view the current set of local role bindings, which show the users and groups that are bound to various roles:
$ oc describe rolebinding.rbac
By default, the current project is used when viewing local role bindings.
Alternatively, a project can be specified with the -n flag. This is useful for
viewing the local role bindings of another project, if the user already has the
admin
default
cluster role in it.
$ oc describe rolebinding.rbac -n joe-project Name: admin Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: admin Subjects: Kind Name Namespace ---- ---- --------- User joe Name: system:deployers Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: system:deployer Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount deployer joe-project Name: system:image-builders Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: system:image-builder Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount builder joe-project Name: system:image-pullers Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: system:image-puller Subjects: Kind Name Namespace ---- ---- --------- Group system:serviceaccounts:joe-project
Adding, or binding, a
role to
users
or groups gives the user or group the relevant access granted by the role. You
can add and remove roles to and from users and groups using oc adm policy
commands.
When managing a user or group’s associated roles for local role bindings using the
following operations, a project may be specified with the -n flag. If it is
not specified, then the current project is used.
| Command | Description |
|---|---|
|
Indicates which users can perform an action on a resource. |
|
Binds a given role to specified users in the current project. |
|
Removes a given role from specified users in the current project. |
|
Removes specified users and all of their roles in the current project. |
|
Binds a given role to specified groups in the current project. |
|
Removes a given role from specified groups in the current project. |
|
Removes specified groups and all of their roles in the current project. |
For example, you can add the admin role to the alice user in joe-project by running:
$ oc adm policy add-role-to-user admin alice -n joe-project
You can then view the local role bindings and verify the addition in the output:
$ oc describe rolebinding.rbac -n joe-project Name: admin Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: admin Subjects: Kind Name Namespace ---- ---- --------- User joe User alice (1) Name: system:deployers Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: system:deployer Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount deployer joe-project Name: system:image-builders Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: system:image-builder Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount builder joe-project Name: system:image-pullers Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: system:image-puller Subjects: Kind Name Namespace ---- ---- --------- Group system:serviceaccounts:joe-project
-
The alice user has been added to the admins
RoleBinding.