mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
145 lines
3.4 KiB
Plaintext
145 lines
3.4 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * authentication/using-rbac.adoc
|
|
// * post_installation_configuration/preparing-for-users.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="adding-roles_{context}"]
|
|
= Adding roles to users
|
|
|
|
You can use the `oc adm` administrator CLI to manage the roles and bindings.
|
|
|
|
Binding, or adding, a role to users or groups gives the user or group the access
|
|
that is granted by the role. You can add and remove roles to and from users and
|
|
groups using `oc adm policy` commands.
|
|
|
|
You can bind any of the default cluster roles to local users or groups in your
|
|
project.
|
|
|
|
.Procedure
|
|
|
|
. Add a role to a user in a specific project:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc adm policy add-role-to-user <role> <user> -n <project>
|
|
----
|
|
+
|
|
For example, you can add the `admin` role to the `alice` user in `joe` project
|
|
by running:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc adm policy add-role-to-user admin alice -n joe
|
|
----
|
|
+
|
|
[TIP]
|
|
====
|
|
You can alternatively apply the following YAML to add the role to the user:
|
|
|
|
[source,yaml]
|
|
----
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: admin-0
|
|
namespace: joe
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: admin
|
|
subjects:
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
kind: User
|
|
name: alice
|
|
----
|
|
====
|
|
|
|
. View the local role bindings and verify the addition in the output:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc describe rolebinding.rbac -n <project>
|
|
----
|
|
+
|
|
For example, to view the local role bindings for the `joe` project:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc describe rolebinding.rbac -n joe
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
|
|
Name: admin
|
|
Labels: <none>
|
|
Annotations: <none>
|
|
Role:
|
|
Kind: ClusterRole
|
|
Name: admin
|
|
Subjects:
|
|
Kind Name Namespace
|
|
---- ---- ---------
|
|
User kube:admin
|
|
|
|
|
|
Name: admin-0
|
|
Labels: <none>
|
|
Annotations: <none>
|
|
Role:
|
|
Kind: ClusterRole
|
|
Name: admin
|
|
Subjects:
|
|
Kind Name Namespace
|
|
---- ---- ---------
|
|
User alice <1>
|
|
|
|
|
|
Name: system:deployers
|
|
Labels: <none>
|
|
Annotations: openshift.io/description:
|
|
Allows deploymentconfigs in this namespace to rollout pods in
|
|
this namespace. It is auto-managed by a controller; remove
|
|
subjects to disa...
|
|
Role:
|
|
Kind: ClusterRole
|
|
Name: system:deployer
|
|
Subjects:
|
|
Kind Name Namespace
|
|
---- ---- ---------
|
|
ServiceAccount deployer joe
|
|
|
|
|
|
Name: system:image-builders
|
|
Labels: <none>
|
|
Annotations: openshift.io/description:
|
|
Allows builds in this namespace to push images to this
|
|
namespace. It is auto-managed by a controller; remove subjects
|
|
to disable.
|
|
Role:
|
|
Kind: ClusterRole
|
|
Name: system:image-builder
|
|
Subjects:
|
|
Kind Name Namespace
|
|
---- ---- ---------
|
|
ServiceAccount builder joe
|
|
|
|
|
|
Name: system:image-pullers
|
|
Labels: <none>
|
|
Annotations: openshift.io/description:
|
|
Allows all pods in this namespace to pull images from this
|
|
namespace. It is auto-managed by a controller; remove subjects
|
|
to disable.
|
|
Role:
|
|
Kind: ClusterRole
|
|
Name: system:image-puller
|
|
Subjects:
|
|
Kind Name Namespace
|
|
---- ---- ---------
|
|
Group system:serviceaccounts:joe
|
|
----
|
|
<1> The `alice` user has been added to the `admins` `RoleBinding`.
|